Mastermind 

How  to  build  a 
fraud  prevention 
program  that  works 

PAGE  28 

Rules  of  Order 

Firewall  audit 
tools,  audited 

PAGE  18 


Numbers 

Game 

IT  security  needs  solid  metrics 
and  common  language.  Formal 
risk-assessment  frameworks 
aim  to  help-but  how  well  do  they 
work  in  the  real  world?  page  24 


IBM,  the  IBM  logo,  ibm.com,  Smarter  Planet  and  the  planet  icon  are  trademarks  of  International  Business  Machines  Corp.,  registered  in  many  jurisdictions  worldwide.  Other  product  and  service  names 
might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  www.ibm.com/legal/copytrade.shtml.  ©  International  Business  Machines  Corporation  2009. 


Smarter  technology  for  a  Smarter  Planet: 

Finding  meaning  in  the  noise. 

An  unprecedented  amount  of  information  flows  through  companies  every  day.  But  to  what  effect? 
A  recent  study  found  that  52%  of  managers  have  no  confidence  in  the  information  they  rely  on  to  do 
their  job.  Without  the  right  approach  to  business  intelligence,  companies  struggle  to  turn  all  that 
information  into  sound  decisions.  IBM  business  intelligence  and  performance  management  solutions 
give  you  the  smarter  tools  you  need  to  access  the  right  information,  making  it  available  to  the  right 
people  when  and  how  they  need  it.  Today  IBM  is  helping  over  20,000  companies  spot  trends,  mitigate 
risk  and  make  better  decisions,  faster.  In  fact,  we  helped  a  major  retail  supplier  achieve  this  by  cutting 
their  average  financial  reporting  time  by  almost  50%. 


A  smarter  business  needs  smarter  software,  systems  and  services. 
Let’s  build  a  smarter  planet,  ibm.com/intelligence 


May  2010  Vol.  9,  No.  4 


Features... 

24  Numbers  Game 

Cover  Story  |  IT  risk 

IT  security  remains  a  field  in  search 
of  solid  metrics  and  a  common 
language.  Formal  risk-assessment 
frameworks  aim  to  fill  the  gap,  but 
how  well  do  these  methodologies 
work  in  the  real  world?  By  Bob  Violino 

28  Show  Me 
the  Money 

Fraud  Financialinstitutions 
once  considered  fraud  an  annoying 
but  acceptable  risk.  As  the  stakes 
rise,  banks  and  lenders  must 
connect  their  defensive  efforts. 

By  Joan  Goodchild 


Also  Inside... 


2  From  the  Editor 

4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers 

debate  iPad  payment 

apps  and  data  leakage 

9  Briefing 

■  After  Google-China 
Dustup,  Cyberwar 
Emerges  as  a  Threat 

■  Digital  Attacks  Could  Spur 
Flesh-and-Blood  War 

■  Cybersecurity  Czar: 

White  House  Attitude 
Different  This  Time 

■  SaaS,  Security  and 
the  Cloud:  It’s  All 
About  the  Contract 

■  Enterprise  Risk 
Management:  All 
Systems  Go 


18  Fire  Control 
Toolbox  Automated  firewall 
audit  products  cut  compliance 
down  to  size,  optimize  bloated 
and  redundant  rule  sets,  and 
improve  change-management 
processes.  ByNeilRoiter 

32  Fraudsters  Bank 
on  Business  Accounts 
Industry  View  Business 
banking  is  a  popular  target 
for  hacks  and  attacks. 

By  Craig  Priess 

36  Debriefing 

Spring  Cleaning 


CSO(ISSN1540-904X)ispublishedmonthlyexceptforacombinedissueinJuly/AugustandDecember/JanuarybyCXOMedialnc„4920ldConnecticutPath,  P.O.Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  MA  01701,  andat  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.  Box  1632,  Windsor.  ON  N9A  7C9.  Copyright  2010  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearing  in  CSO  is  forbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  useor  the  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOfor  usersthrough  theCopyright  Clearance  Center,  provided  thata  feeof  $3.50  per  copy  of  thearticle  is  paid  directly  to  Copyright  Clearance  Center,  222  Rosewood  Drive,  Danvers,  Mk01970.www.copyright.com.  Please  specify: 
ISSN  1540-904x.  Permission  to  photocopy  does  not  extend  to  contributed  articles— followed  by  this  symbol:  t  Address  inquiries  to  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065;  866  354-1125.  CSO  isfreeto  qualified  security  executives. 
Toallotherstheone-yearbasicrateis$70for  the  United  States  and  Canada,  $95toforeign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9  to  the  U.S.  and  Canadaand$15lnternational.Pleaseallowfourtosix  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  illustration  by  Steve  Traynor 


May  2010  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Do  Your  Worst 


I’ve  been  playing  in  chess  tournaments  since 
1982.  The  competitions  use  a  rating  system 
that  tells  you,  and  everyone  else,  what  your 
real  skill  level  is,  so  it’s  easy  to  measure 
whether  you  are  getting  better  or  not. 

Here’s  what  I  figured  out  about  chess 
over  the  past  30  years:  If  you  really  want  to 
improve,  you  have  to  dig  into  your  weaknesses. 

The  temptation  is  to  avoid  dealing  with 
your  flaws  by  playing  around  your  weaknesses. 
If  you  usually  lose  in  simple  endgames,  for 
example,  you  learn  to  avoid  them  at  all  costs. 

But  while  this  strategy  maximizes  your 
short-term  results,  your  long-term  develop¬ 
ment  simply  stops. 

Golfers  tell  me  it’s  the  same  in  golf.  If 
you’re  great  at  driving  and  you  stink  at  putting, 
it’s  tempting  to  spend  your  time  at  the  driving 
range.  That’s  where  you  feel  like  you’re  a  good 
golfer.  But  you’ll  never  actually  lower  your 
handicap  that  way. 

It’s  the  same  in  your  professional  life. 

Dan  Lohrmann  was  a  CISO;  now  he’s  Chief 
Technology  Officer  of  the  state  of  Michigan. 
There’s  no  rating  system  in  security  and  no 
handicap,  but  titles  and  responsibilities  can  be 
decent  ways  of  gauging  professional  develop¬ 
ment.  By  that  measure,  I’d  say  Lohrmann  is 
successful. 

His  professional  development  advice, 
therefore,  is  worth  listening  to.  On  our  website, 
Lohrmann  has  been  writing  a  really  interest¬ 
ing  series  of  blog  posts  about  “Why  Security 
Professionals  Fail.”  The  whole  set  is  very 
thought-provoking;  you  can  find  it  at 
http://blogs.csoonline.com/blog/ 
danjohrmann. 

Lohrmann’s  seventh  and  final  post  indi¬ 
cates  to  me  that  he  thinks  the  same  principle 
applies  to  security  as  it  does  to  chess  and 


golf:  Doing  the  same  old,  same  old  offers  you 
growth  up  to  a  certain  point,  but  the  things 
that  will  make  you  successful  at  the  next 
level-whatever  that  means  to  you-are  likely 
to  be  quite  different.  At  some  point,  you  have 
to  identify  the  thing  that  you  don’t  do  well, 
and  do  it.  Study  it,  practice  it,  get  feedback. 
Change  your  approach,  change  your  style,  try 
a  fundamentally  different  method. 

Put  your  beautiful  titanium-and-carbon 
Callaway  driver  back  in  the  bag  and  get  out 
your  Dad’s  old  putter. 

Buy  a  good  book  on  simple  chess 
endgames. 


This  isn’t  just  about  personal  ambition, 
although  most  careers  feature  some  of  that. 

It’s  also  about  making  your  department,  func¬ 
tion,  organization  more  successful.  It’s  a  basic 
way  to  improve  your  leadership. 

As  Lohrmann  says,  “To  lead,  we  need  to 
think  differently.  Wherever  you  are  today,  I 
challenge  you  to  move  beyond  the  box  placed 
around  your  role.” 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Mary  Brandel,  George  Campbell, 
Robert  McMillan,  Michael  Fitzgerald 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.0.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 

C  X  O  '  MEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 

Chief  Content  Officer 

John  Gallant 

BPA 

WORLDWIDE" 


2  www.csoonline.com  May  2010 


Photo  by  Tim  Llewellyn 


eriSig 


IT 


FORTUNE  500 
COMPANIES  DON’T 
CHOOSE  SECURITY 
ON  A  WHIM. 


▼  Identified  by  VeriSign  OX! 


m 


Over  95  percent  of  the  Fortune  500  choose  VeriSign  SSL  as  their  online  security  of  choice. 

Why?  Because  VeriSign  can  enable  the  strongest  encryption  available  and  has  the  most 
rigorous  authentication  standards.  Or  because  VeriSign®  Extended  Validation  (EV)  SSL  offers  the 
most  visible  site  security  available  by  displaying  the  green  address  bar  in  high-security  browsers, 
which  is  also  the  most  effective  defense  against  phishing  scams.  Add  it  up,  and. it’s  easy  to  see 
why  industry  leaders  choose  VeriSign— the  most  trusted  symbol  of  security  on  the  Web. 


It’s  powerful.  It’s  the  most  visible.  Learn  more  about  protecting 
your  site  and  your  customers  at  VeriSign.com/EVSSLPaper. 


©  2009  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  the  Checkmark  Circle  logo,  the  VeriSign  Secured  logo,  and  other  trademarks,  service 
marks,  and  designs  are  registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries.  All  other 
trademarks  are  property  of  their  respective  owners. 


[  FROM  THE  PUBLISHER  ] 


Do  passwords 
make  sense? 


I  apologize  up  front  for  jumping  into  this 
debate,  but  I  couldn’t  resist.  Not  a  week 
goes  by,  or  so  it  seems,  without  some  news¬ 
paper,  magazine  or  TV  show  (apologies  to 
my  media  brethren)  lambasting  security  and  IT 
professionals  because  they  force  unnecessary 
security  controls  on  the  poor,  downtrodden 
consumer  or  worker.  It’s  as  if  your  security 
requirements  are  designed  to  make  everyone’s 
life  miserable  with  little  or  no  benefit.  You  evil 
CSOs!  My  heart  bleeds  for  the  poor  peasants 
whom  you  oppress. 

Last  week,  for  example,  the  Boston  Globe 
examined  a  Microsoft  Research  study  that 
concluded,  according  to  the  article,  that 
“many  of  these  irritating  security  measures  are 
a  waste  of  time.”  I  can  certainly  relate  to  that. 
I’m  annoyed  every  time  I  need  to  enter  my 
15-character  complex  password,  which  I  must 
do  several  times  a  day  in  the  office  and  even 
more  often  when  I’m  traveling.  I’m  annoyed 
every  90  days  when  I  have  to  come  up  with  a 
new  complex  password  that  can’t  be  the  same 
as  one  I’ve  used  any  time  in  the  past  20  years. 
But  I  also  recognize  that  simple  passwords- 
pet’s  names,  children’s  names,  and  so  on-are 
easily  broken.  And  I  realize  that  there  are 
other  sides  to  this  argument. 

When  we  discuss  whether  security 
measures  are  worthwhile  or  not,  we  need 
to  consider  the  point  of  view  from  which  we 
examine  the  issue.  Often  it’s  the  user’s  point  of 
view,  so  the  focus  is  on  all  the  time  they  spend 
entering  long  passwords  or  navigating  security 
controls,  which  results  in  millions  of  hours  of 
lost  productivity.  I  buy  that.  What  I  don’t  buy  is 
that  most  workers  would  be  significantly  more 
productive  if  freed  from  these  controls.  End 
users,  whether  bank  customers  or  your  own 
employees,  are  by  far  the  weakest  link  in  the 
security  chain.  Let’s  not  kid  ourselves:  Security 
controls  are  more  about  protecting  the  busi¬ 


ness  than  the  individuals  themselves. 

I  can  already  hear  the  outcry  that  would 
arise  if  a  company  opted  to  use  simple  pass¬ 
words  and  ultimately  had  a  data  breach  (safe 
bet).  The  lawyers,  as  they  filed  their  class- 
action  lawsuits,  would  be  asking  why  complex 
passwords  weren’t  required.  The  media  (with 
all  due  deference)  would  paint  a  picture  of  an 
uncaring  corporate  behemoth.  Shame  on  the 
CEO.  Please,  give  me  a  break.  This  argument 
isn’t  about  the  cost-benefit  trade-off  of  time 
versus  security.  It  isn’t  about  the  end  user’s 
productivity  or  inconvenience.  It’s  about 
protecting  the  business’s  reputation  and 
reducing  risk. 


I  give  Cormac  Herley,  the  Microsoft 
researcher  who  conducted  this  study,  a  lot  of 
credit  for  really  looking  at  the  issue.  It’s  these 
deep  dives  that  get  us  all  talking  about  what 
we  do  to  protect  our  secrets.  I  just  hate  when 
the  real  message  gets  lost  in  the  headline  in 
the  local  paper.  By  the  way,  the  headline  for 
the  Globe  article  was  “Please  do  not  change 
your  password.  You  were  right:  It’s  a  waste  of 
your  time.  A  study  says  much  computer  secu¬ 
rity  advice  is  not  worth  following.” 

Enough  said? 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 


3M . 5 

ASIS  International . 8 

BeyondTrust . 11 

CSO . 33,35 


Executive  Women’s  Forum  ....  21 


IBM  Corp . C2 

PGP  Corp . 13 

PhoneFactor . C3 

RSA  Security . 15 


Tripwire  Inc . C4 

University  of  Maryland 

University  College . 23 

Verisign . 3 

Verizon . 17 

Websense  Inc . 19 


President  and  CEO 
Michael  Friedenberg 
Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 
Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 

Gregg  Pinsky 

VP,  Online  Sales 
Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 

Stacy  Bryne 

Director,  Online  Account  Services 

Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Elise  Ryan, 

Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 

Tom  Grimshaw,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 

Ellen  Daly 

Vice  President,  Event  Marketing 

Michael  Garity 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 

Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeskifSidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
csofStheygsgroup.com 


4  www.csoonline.com  May  2010 


Photo  by  Christopher  Navin 


Are  you  protecting  your 
company’s  information? 

You  should  be. 

Get  3NT  Mobile 
Privacy  Film 


_ _ 


.  •  •  . 


•  '  ... . 

•'  •  •  * 

.  . 

.  ' 

::  g; 

.  •  .  .  '  •  •  .v  '  .  ' 

'  ^  -X  ■- 

"  '' 

■ 

■ 

. 


SP 


3M™  Mobile  Privacy  Film 


Don’t  take  chances  with  your  company’s  vital  information.  Use  3M™  Mobile  Privacy  Film  to  keep  your  smartphone  from  becoming  your  company’s  next  big 
security  breach.  Apply  it  to  your  smartphone  screen  for  a  crisp,  clear  view  from  straight  on,  while  from  the  side,  the  screen  appears  dark,  blocking  others 
from  viewing  your  data.  It’s  easy  to  apply  and  removes  cleanly  leaving  no  residue. 


3M  is  your  solution  for  privacy  on  every  screen.  For  more  information  on  3M  Mobile  Privacy  Film 
and  3M  Privacy  Computer  Filters,  visit  www.3MPrivacyFilter.com/Security  or  call  800-553-9215. 


©  3M  2010 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


BLOG  POST 

iPad  Payment 
Apps:  Too  Soon! 

Forrester  Research  says  the 
charge  into  mobile  payment 
applications  brings  absurd  risks 

Even  though  the  iPad  is  barely 
birthed,  there  is  already  a  push 
to  provide  payment  applica¬ 
tions  for  the  device.  It’s  time 
to  pull  the  emergency  brake 
on  this  trend.  Are  these  applications  Pay¬ 
ment  Application  Data  Security  Standard 
(PA-DSS)-certified?  Do  they  have  swipe 
devices  with  crypto  hardware  built  in?  Has 
the  PIN  entry  device  been  rigorously  tested 
and  does  it  meet  all  the  PIN  Transaction 
Security  guidelines?  There  are  so  many 
things  consumers  should  know  about  the 
security  of  these  new  methods  before  they 
allow  their  credit  card  to  be  captured  by 
an  iPad  or  iPhone.  Is  the  card’s  Personal 


Account  Number  (PAN) 
encrypted  the  moment  it 
is  read  by  the  device?  Does 
the  device  establish  an 
encrypted  tunnel  to  trans¬ 
port  the  transaction  to  the 
payment  gateway?  Does  the 
iPad  store  the  PAN?  Is  that 
storage  encrypted  or  unen¬ 
crypted?  Does  the  proces¬ 
sor  support  a  tokenization 
scheme  to  keep  the  iPad  out 
of  the  payment  card  indus¬ 
try’s  scope?  Is  the  payment 
app  the  only  thing  running 
on  the  iPad?  To  use  an  iPad 
as  a  point-of-sale  device,  it  must  run  only 
the  payment  app.  No  iTunes  or  Facebook 
or  games.  Read  the  regulations.  How  will 
iPad  payment  vendors  try  to  get  around 
PCI  Requirement  2.2.1,  “Implement  only 
one  primary  function  per  server”?  This 
requirement  was  designed  precisely  to  keep 
merchants  from  using  the  same  system  for 
payment  applications  and  another  purpose. 
A  POS  device  must  be  single-purpose.  Limit 
the  iPad  to  having  only  the  payment  appli¬ 
cation  installed  and  then  we  will  talk. 

Too  many  questions  and  no  answers. 
Taking  credit  cards  for  use  by  your  busi¬ 
ness  is  not  a  right.  It  is  an  obligation.  An 
obligation  to  your  customers  to  protect 
their  data.  An  obligation  to  your  acquiring 
bank  to  play  by  their  rules. 

Until  these  new  types  of  payment  com¬ 
panies  can  demonstrate  that  they  are  com¬ 
pliant  with  industry  standards  and  their 
names  show  up  on  the  PCI  Security  Stan¬ 
dards  Council  website,  consumers  would 
be  foolish  to  allow  their  card  information 
to  be  captured  by  one  of  these  applications. 

—John  Kindervag 


BLOG  POST 

Data  Leakage: 
Like  Catching 
Water  in  a  Sieve 

am  was  stunned.  Three  desktop 
systems  were  stolen,  along  with  a 
large  amount  of  sensitive  informa¬ 
tion.  With  all  the  network  and 
server  controls  he  had  in  place,  he 
had  still failed  to  prevent  data  theft. 

The  situation  above  actually  happened. 
Along  with  lost  or  stolen  laptops,  PDAs  or 
other  devices  capable  of  storing  data,  desk¬ 
top  theft  can  highlight  a  huge  gap  in  data- 
protection  controls.  The  gap  is  not  caused 
by  improper  user  behavior.  Users  are  only 
putting  data  in  places  and  formats  more 
amenable  to  how  they  work.  They  store 
data  on  a  variety  of  devices  at  home.  Why 
not  do  the  same  thing  at  the  office?  The 
answer  is:  because  it  results  in  the  leakage 
of  data  from  secure  locations. 

Data  theft  and  data  leakage  are  not 
the  same.  Data  leakage  is  the  incremental 
movement  of  information  from  areas  of 
high  trust  to  myriad  locations  with  little  or 
no  protection.  It  makes  theft  a  little  easier 
every  day.  Most  managers  don’t  realize  that 
it  threatens  regulatory  compliance  and  cus¬ 
tomer  confidence. 

The  core  of  an  organization’s  data 
security  efforts  includes  database  security 
controls,  access  controls  and  secure  appli¬ 
cation  configuration.  Many  organizations 
stop  here,  assuming  they  have  adequately 
protected  customer,  employee  and  intel¬ 
lectual-property  data.  The  problem  starts 


6  www.csoonline.com  May  2010 


when  users  begin  taking  data  from  this  con¬ 
trolled  environment  and  putting  it  in  places 
that  have  far  lower  levels  of  trust. 

One  of  the  biggest  problems  is  taking 
information  from  applications  and  put¬ 
ting  it  into  spreadsheets,  PDF  files  and 
other  distributable  formats.  In  some  cases, 
organizations  actually  distribute  reports  in 
these  formats,  expecting  users  to  adequately 
safeguard  them.  In  addition  to  user-created 
files,  sensitive  information  is  often  found  in 
temporary  files,  print  queues  and  swap  files 
created  by  operating  systems  and  placed  in 
local  storage. 

In  addition  to  what  might  be  found  on 
desktop  and  laptop  hard  drives,  data  leaks 
to  many  other  locations.  The  most  common 
include  e-mail,  thumb  drives,  CDs,  DVDs, 
the  trash  and  smartphones.  Data  leakage 
extends  beyond  electronic  storage  to  paper 
copies  left  on  faxes  and  printers. 

The  layers  of  security  surrounding  pri¬ 
mary  data  storage  are  a  good  start.  With¬ 
out  a  comprehensive  data  leakage  policy, 
however,  preventing  data  theft  is  as  easy  as 
catching  water  in  a  sieve. 

Stopping  data  leakage  is  not  easy.  It 
requires  behavior  changes  and  often 
results  in  redesigning  reporting  and  other 
business  processes.  However,  organiza¬ 
tions  that  fail  to  stop  data  leakage  are  only 
kidding  themselves— and  their  auditors— 
about  the  safety  of  sensitive  data. 

Each  business  is  unique.  How  data  leak¬ 
age  is  prevented  or  controlled  depends  on 
strategic  and  operational  requirements. 
The  following  list,  therefore,  is  just  a  basic 
guide  to  help  start  internal  assessments  of 
an  organization’s  vulnerability. 

■  Does  the  organization  prohibit  storage 

of  files  on  desktops?  Does  it  redirect 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 

jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions,  • 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


file  saves  to  network  storage  devices 
(e.g.  file  servers  and  network-attached 
storage)?  If  Windows  is  used  on  the 


desktop,  is  the  My  Documents  folder 
redirected  to  network  storage? 

■  Do  reporting  or  data-warehousing 
solutions  allow  the  distribution  of 
sensitive  data  to  end-user  devices?  Do 
they  have  to?  Is  there  another  way  to 
provide  this  information  (e.g.  Web 
portal)? 

■  Does  the  organization  encrypt  sensi¬ 
tive  data  stored  on  mobile  storage 
devices,  including  laptops? 

■  Does  the  organization  have  a  solution 
in  place  to  monitor  for  and  send  alerts 
about  instances  where  sensitive  data 
is  moved  to  or  stored  in  areas  where 
security  controls  are  not  adequate? 

■  Do  policies  exist  to  govern  the  safe  use 
of  printers  and  faxes? 

■  Does  the  organization  provide  secure 
receptacles  for  discarded  paper  forms, 
reports  and  other  hard-copy  formats 
containing  sensitive  data?  Is  secure 
disposal  governed  by  policy  and 
enforced  by  management? 

■  Does  the  organization  have  a  process 
for  disposing  of  electronic  or  optical 
media?  Is  secure  disposal  governed  by 
policy  and  enforced  by  management? 

■  Does  the  organization  manage  by 
spreadsheet,  keeping  large  amounts  of 
sensitive  data  in  shared  or  distributed 
files  that  are  not  backed  up  or  safe¬ 
guarded  from  theft? 

■  Is  e-mail  monitored  for  content,  with 
alerts  sent  when  someone  may  be  shar¬ 
ing  sensitive  data  via  unsecured  media? 
My  experience  is  that  data  leakage  from 

approved  or  accepted  business  practices  is 
a  significant  security  vulnerability.  Until  it 
is  addressed,  other  data  protection  controls 
are  just  a  good  start.  — Tom  Olzak 


MORE  ON  THE  WEB 

Join  the  CSO  Forum  on  Linkedln 

The  CSO  Forum  is  the  best  place  to  share  expertise  with  peers- 
top  leaders  in  digital  and  physical  security,  business  continuity, 
fraud  prevention  and  other  operational  risk  areas.  Members  get 
advance  access  to  research,  event  discounts  and  more. 

-To  find  us,  search  Linkedln's  groups  for  the  CSO  Forum. 


May  2010  www.csoonline.com  7 


”'"7. 

yir*r<-,  TjJte 


As  new  security  challenges  and  uncertainties  evolve,  it  is  critical  that  you 
have  the  most  advanced  industry  knowledge  and  solutions  to  stay  one 
step  ahead.  At  ASIS  2010,  you’ll  be  instantly  immersed  in  security  insight 
and  innovation  through  more  than  180  timely  educational  sessions  and 
the  chance-of-a-lifetime  keynote  events— not  to  mention  the  real-world 
ideas  exchanged  at  unlimited  networking  opportunities.  All  in  one  place. 

Register  now  for  ASIS  2010,  the  one  destination  trusted  by  top  security 
professionals  worldwide.  And  the  one  event  you  need  to  attend  this  year. 
Visit  www.asis2010.org  or  call  +1 .703.519.6200  to  register  and  for 
more  information. 


He  Show  Exenutira’s 


The  Top  100 
Trade  Shows 
of  2008 


Chesley  B.  Sullent 

Captain 
‘Miracle  on  the , 


Musharra 

President  of  Ps 
(2001-2008) 

Chief  Executive  of 
Pakistan  (1999-2001) 


DALLAS,  TEXAS 


“ Cyber  war  may  actually  increase  the  likelihood  of  the  more 
traditional  combat  with  explosives,  bullets  and  missiles.  ”  page  10 


TRENDS,  STATS  AND  FAST  FACTS 
Edited  by  Bill  Brenner 


After  Google-China  Dustup, 
Cyberwar  Emerges  as  a  Threat 

The  episode  highlighted  dangers  menacing  the  United  States 


Few  events  have  crystallized  U.S.  fears  over 
a  cyber  catastrophe,  or  brought  on  calls 
for  a  strategic  response,  like  the  recent 
attacks  against  Google  and  more  than  30 
other  tech  firms. 

The  company’s  disclosure  in  January  that 
it  was  attacked  by  China-based  hackers,  along 
with  its  subsequent  decision  to  scale  back 
operations  there,  have  stoked  long-standing 
fears  over  the  ability  of  cyber  adversaries  to 
penetrate  U.S.  commercial  and  government 
networks. 

If  a  full-fledged  cyberwar  were  to  break 
out,  the  nation’s  economy  would  be  hit  hard: 
Banks  might  not  be  able  function;  electricity, 
water  and  other  utilities  could  be  shut  off;  air 
travel  would  almost  certainly  be  disrupted; 
and  communications  would  be  spotty  at  best. 

In  a  word,  chaos. 

Few  think  that  such  a  war  is  imminent.  But 
damage  has  already  been  done  by  a  slew  of 
cyberattacks  that,  while  falling  well  short  of 
cyberwar,  have  still  resulted  in  the  theft  of 
terabytes  of  intellectual  property  data, 
trade  secrets  and  classified 
information.  That  material  is 
now  in  the  hands  of  overseas 
groups,  many  of  which  are 
thought  to  be  state-sponsored. 

It’s  not  just  data  and  secrets 
being  stolen;  cyberthieves  have 
also  made  off  with  billions  of  dollars  from 
companies  and  banks.  There  are  also  growing 
concerns  that  cyberattackers  are  making 
subtle  changes  to  software  source  code.  If 
that’s  the  case,  they  could  be  creating  perma¬ 


nent  windows  into  a  company’s 
operations.  These  would  allow 
the  criminals  ready  access  to 
the  compromised  system  in  the 
future,  allowing  them  to  make 
whatever  mischief  they  pleased. 

An  ‘existential  threat’ 

Many  see  the  attacks  as  evidence 
that  the  country  is  already  in  the 
midst  of  an  undeclared  cyberwar, 
with  attacks  against  government 
targets  estimated  to  have  more 
than  doubled  in  the  past  two  years.  Just  last 
week,  a  top  FBI  official  called  cyberattacks 
an  “existential  threat.”  On  Friday,  those  senti¬ 
ments  were  echoed  by  two  senators  who  are 
currently  pushing  cybersecurity  legislation. 

Mike  McConnell,  the  former  director  of 
the  National  Security  Agency  and  director  of 
national  intelligence  during  the  Bush  admin¬ 
istration,  recently  said  in  a  Washington  Post 
column  that  the  country  is  not  only  fighting 
such  a  war,  it’s  losing  the  battle. 

That  sentiment  is  shared  by 
Admiral  Robert  Willard,  who 
warned  Congress  about  attacks 
that  appeared  to  originate  from 
China  targeted  at  military  and 
other  government  networks. 

The  attacks  are  challenging  the 
military’s  ability  to  “operate  freely  in  the 
cybercommons,”  he  says. 

Those  views  are  shared  by  security  experts 
in  both  the  public  and  the  private  sectors  who 
see  the  relentless  probing  and  attacks  as  a 


precursor  to  something  more  devastating. 

The  concern  is  prompting  action  of  sorts  in 
Washington.  In  just  the  past  month,  two  major 
cybersecurity  bills  have  been  proposed.  One 
would  tie  the  financial  aid  a  country  is  granted 
to  its  willingness  to  fight  cybercrime.  The  other 
would  strengthen  domestic  cybersecurity  and 
require  the  president  to  work  with  private 
industry  in  response  to  any  cyber  crises.  The 
latter  is  a  forgone  conclusion,  given  how  much 
cyberinfrastructure  is  in  private  hands. 

A  cybersecurity  ambassador? 

Meanwhile,  the  state  department  is  rumored 
to  be  considering  the  creation  of  a  cyberse¬ 
curity  ambassador  for  the  United  Nations. 
That’s  important,  because  there’s  no  settled 
definition  of  cyberwar  and  various  nations  are 
already  trying  to  figure  out  what  a  cyberwar 
entails,  what  would  cause  it  to  be  declared  and 
how  it  would  be  fought. 

The  first  step  to  formulating  an  organized 
response  is  defining  cyberwar  correctly,  says 
Robert  Rodriguez,  a  former  Secret  Service 


THreat 


May  2010  www.csoonline.com  9 


>>  BRIEFING 


special  agent  and  founder  of  the  Security  Innova¬ 
tion  Network.  Calling  what’s  gone  on  in  recent 
years  a  “cyberwar”  only  complicates  things,  he 
says. 

“War  connotes  huge  conflict  at  a  grand  level 
between  nations  and  societies,”  Rodriguez  says. 

It  also  involves  the  use  of  military  force  to 
destroy  another  nation’s  capabilities  and  will  to 
resist,  according  to  James  Lewis,  director  and 
senior  fellow  at  the  Center  for  Strategic  and  Inter¬ 
national  Studies.  The  cyber  equivalent  of  such  a 
conflict  would  involve  a  nation  using  cyber  means 
to  attain  political  ends  in  another  country,  says 
Lewis,  who  led  a  commission  that  developed  a  set 
of  cybersecurity  recommendations  for  President 
Obama  last  year. 

“When  you  look  at  the  number  of  systems  that 
have  been  Trojaned  or  compromised,  you  could 
say  our  cyberbattlefield  has  been  prepped  and  can 
be  used  against  us,”  admits  Jerry  Dixon,  former 
director  of  the  National  Cyber  Security  Division  at 
the  Department  of  Homeland  Security. 

“However,  the  adversary  has  to  decide  if  the 
intelligence  they’re  getting  from  our  systems  and 
networks  is  more  valuable  than  attacking  them 
to  take  them  offline,”  he  says.  “If  they  attack  and 
take  them  offline,  they  will  lose  insight  into  what 
we’re  doing.” 

Making  such  distinctions  is  crucial  from  a  stra¬ 
tegic  response  standpoint.  “Pronouncements  that 
we  are  in  a  cyberwar  or  face  cyberterror  conflate 
problems  and  make  effective  response  more  dif¬ 
ficult,”  Lewis  says. 

Spies  or  criminals? 

If  the  attacks  of  recent  years  aren’t  warfare,  what 
should  they  be  called? 

A  lot  of  what’s  going  on  is  cyberespionage  and 
cybercrime  on  a  massive-and  growing-scale. 

They  aren’t  new,  says  Patricia  Titus,  the  former 
chief  information  security  officer  at  the  Transpor¬ 
tation  Security  Administration,  now  in  a  similar 
post  at  Unisys.  But  the  attacks  on  Google  and  other 
companies  drew  attention  to  the  scope  of  the 
problem,  she  says. 

Many  of  the  recent  attacks  originated  from 
China,  though  countries  such  as  Russia  and  India 
are  also  suspect.  Specific  companies  and  govern¬ 
ment  organizations  are  usually  targeted  through 
the  use  of  social  engineering  tricks,  advanced 
reconnaissance  and  sophisticated  malware  tools 
that  can  quietly  penetrate  networks  and  steal  data. 

What’s  not  always  clear  is  whether  this  kind  of 
economic  and  military  espionage  is  state-spon¬ 
sored  or  carried  out  by  hacktivists  and  opportun¬ 
ists.  -Jaikumar  Vijayan 


CYBERWAR 

Digital  Attacks  Could 
Spur  Flesh-and-Blood  War 

Former  presidential  adviser  Richard  Clarke 
warns  that  the  United  States  is  vulnerable  to 
cyberattacks,  which  could  lead  to  armed  conflict 


Although  the  United  States  likely  has  the  best  cyberwar  capabilities  in  the 
world,  “that  offensive  prowess  cannot  make  up  for  the  weaknesses  in  our 
defensive  position,”  one-time  presidential  adviser  Richard  Clarke  argues 
in  his  book  Cyber  War. 

Clarke-who  served  as  special  adviser  to  the  president  for  cybersecurity  in 
2001  and  now  teaches  at  Harvard’s  Kennedy  School  of  Government  and  works 
at  Good  Harbor  Consulting-fears  that  any  outbreak  of  cyberwar  would  lead  to 
physical  violence. 

“Far  from  being  an  alternative  to  conventional  war,  cyber  war  may  actually 
increase  the  likelihood  of  the  more  traditional  combat  with  explosives,  bullets 

and  missiles,”  Clarke  writes  in 
his  book,  which  was  released  last 
month. 

Several  nations,  most  promi¬ 
nently  Russia,  China  and  North 
Korea,  are  already  assembling 
cyber  armies  and  weapons  that 
could  be  used  to  attack  other 
nations,  he  says. 

Given  that  the  United  States  is 
heavily  dependent  on  technology 
for  such  important  functions  as 
banking,  supply-chain  tracking 
and  air-traffic  control,  it’s  par¬ 
ticularly  vulnerable  to  the  denial- 
of-service  attacks,  electronic 
jamming,  data  destruction  and 

software-based  disinformation  tricks  likely  to  be  features  of  cyberattacks. 

The  Pentagon  established  Cyber  Command  to  fight  cyberwars  and  protect  the 
Department  of  Defense  from  cyberattack,  Clarke  says,  noting  that  Russia  and 
China  are  the  military’s  primary  concerns  in  this  arena.  But  America’s  Achilles 
heel  may  be  its  corporate  sector,  which,  despite  operating  much  of  the  public 
Internet  and  telecommunications  infrastructures,  has  largely  been  left  to  its 
own  devices  when  it  comes  to  cyber  defenses,  and  which  farms  out  much  of  the 
nation’s  tech  manufacturing  to  overseas  factories. 

Clarke  says  those  flaws  could  give  China  the  upper  hand  in  a  cyberconflict. 
“The  Chinese  government  has  both  the  power  and  the  means  to  disconnect 
China’s  slice  of  the  Internet  from  the  rest  of  the  world,  which  they  may  very  well 
do  in  the  event  of  a  conflict  with  the  United  States,”  he  says,  adding  that  China’s 
cyberwarriors  are  charged  with  defending  all  of  China’s  infrastructure,  not 
just  the  segments  run  by  the  military.  Clarke  advocates  the  creation  of  interna¬ 
tional  agreements  aimed  at  preventing  cyberwar,  and  to  enforce  them,  he  says 
countries  must  cooperate  to  trace  attacks  that  appear  to  violate  such  pacts,  even 
though  finding  an  aggressor  on  the  Internet  can  be  very  difficult. 

Clarke  also  would  like  to  see  changes  in  the  United  States  that  would  put  the 
nation’s  ISPs,  with  government  oversight,  in  charge  of  preventing  attacks. 

-Ellen  Messmer 


Richard  A.  Clarke 


10  www.csoonline.com  May  2010 


Photo  by  AP/Wide  World  Photos 


People  need  boundaries, 
not  walls. 


In  the  world  of  Web  2.0,  you  cannot  safely  distribute  full 
admin  rights  on  desktops  or  root  passwords  on  servers. 

So  how  do  you  protect  against  misuse  of  privileges, 
whether  intentional,  accidental  or  indirect,  without  stifling 
productivity?  By  allowing  specific  applications,  tasks  and 
commands.  BeyondTrust  makes  it  simple.  Transparently 
brokering  permissions  from  a  central  console,  it  enables 
users  to  work  without  interference,  and  provides  detailed 
privileged  access  logging,  key  logs,  and  audit  trails. 

So  don't  think  you  have  to  choose  between  security 
and  productivity,  or  risk  non-compliance. 


Delegate  privileges  with  certainty  and  clarity, 
with  BeyondTrust. 


O  beyondtrust 

privilege,  mode  simple 


Download  the  whitepaper 

www.beyondtrust.com/simple 


Copyright©  2010  BeyondTrust  Software,  Inc.  All  rights  reserved.  BeyondTrust  is  a  registered  trademark  of  Beyondtrust  Software,  Inc. 


>>  BRIEFING 


NATIONAL  SECURITY 

Cybersecurity  Czar:  white  House 
Attitude  Different  This  Time 

Howard  Schmidt  on  working  with  President  Obama,  gaining  access  to 
new  resources  and  the  status  of  specific  cybersecurity  initiatives 


When  the  Obama  White 
House  tapped  industry 
veteran  Howard  Schmidt 
to  be  cybersecurity 
coordinator  in  December,  some 
were  skeptical  of  whether  he’d  be 
listened  to.  He  had  already  tried 
to  make  changes  in  the  previous 
administration,  and  the  cyber¬ 
security  czars  who  followed  him 
didn’t  last  long. 

Others  fretted  that  Schmidt’s 
thinking  was  too  old-school.  For¬ 
rester  Research  senior  analyst 
Andrew  Jaquith,  for  example, 
declared  that  Schmidt  needed 
to  “clue  up.”  Pointing  to  concerns 
Schmidt  raised  in  a  2010  predic¬ 
tions  article  late  last  year,  Jaquith 
said,  “He  said  ‘we’re  concerned 
about  social  networking.’  Well, 


sure,  we’ve  known  that  for 
awhile.  ‘We’re  concerned  about 
smartphone  malware.’  Good  for 
him  for  expressing  an  opinion 
about  something  that’s  been 
expressed  before.  To  me,  though, 
there  just  wasn’t  much  by  way  of 
real  forward-looking  predictions. 

I  think  he’s  fighting  many  of  the 
last  wars  in  2010,  and  I’m  hoping 
we  can  get  a  little  more  vision  out 
of  Mr.  Schmidt.” 

In  an  interview  with  CSOon- 
line.com,  Schmidt  addressed 
those  concerns  and  explained 
how  this  time,  things  are  different. 

For  starters,  he  said,  the 
position  he  finds  himself  in  is 
far  different  from  his  previous 
government  job.  The  title  is 
brand-new  and  the  chain  of  com- 


President  Barack  Obama  greets 
new  Cybersecurity  Coordinator 
Howard  Schmidt,  Dec.  17, 2009. 

mand  is  much  shorter  than  the 
one  previous  cyber  czars  had  to 
contend  with.  President  Obama 
himself  is  far  more  tech-  and 
cybersecurity-savvy  than  previ¬ 
ous  presidents.  The  fact  that  he 
gave  a  major  address  on  that  topic 
last  May  is  proof  of  that,  Schmidt 
said.  It  was  in  that  address  that 
Obama  announced  the  creation  of 
a  cybersecurity  coordinator  who 
would  operate  from  the  West  Wing. 

“From  my  perspective,  and  you 
know  I’ve  been  in  this  business  a 
long  time,”  Schmidt  said,  “it  was 
unprecedented  to  hear  the  presi¬ 
dent,  in  the  speech  he  gave  last 
May,  not  only  using  terms  like  bot¬ 
net,  worms,  viruses  and  Trojans, 
but  also  understanding  what  they 
are  and  what  the  effects  are." 

He  said  Obama’s  feedback  was 
instrumental  in  the  decision  to 
declassify  part  of  the  administra¬ 
tion’s  Comprehensive  National 
Cybersecurity  Initiative  (CNCI) 
and  make  public  12  of  its  key 
points,  which  Schmidt  did  during 
the  RSA  security  conference  in 
March. 

The  initiatives,  which  are 
available  on  the  White  House 
website,  include: 

The  Trusted  internet 
Connections  (TIC)  initiative. 
Headed  by  the  Office  of  Manage¬ 
ment  and  Budget  and  the  Depart¬ 
ment  of  Homeland  Security,  this 
involves  the  consolidation  of  the 
federal  government’s  external 
access  points,  including  those 
to  the  Internet.  This  consolida¬ 
tion  will  result  in  a  common 


security  solution,  which  includes 
facilitating  the  reduction  of 
external  access  points,  establish¬ 
ing  baseline  security  capabilities 
and  validating  agency  adherence 
to  those  security  keys.  Agencies 
participate  in  the  TIC  initiative 
either  as  TIC  Access  Providers  (a 
limited  number  of  agencies  that 
operate  their  own  capabilities) 
or  by  contracting  with  commer¬ 
cial  Managed  Trusted  IP  Service 
(MTIPS)  providers  through  the 
Networx  contract  vehicle,  which  is 
managed  by  the  General  Services 
Administration. 

Intrusion  detection  and 
prevention  systems  across 
agencies.  DHS  is  deploy¬ 
ing  signature-based  sensors 
capable  of  inspecting  Internet 
traffic  entering  federal  systems 
for  unauthorized  accesses  and 
malicious  content.  The  systems 
are  part  of  the  Einstein  2  project, 
which  analyzes  network  flow 
information  to  identify  poten¬ 
tially  malicious  activity  while 
conducting  automatic  full  packet 
inspection  of  traffic  on  govern¬ 
ment  networks. 

A  governmentwide  cyber 
counterintelligence  (Cl)  plan. 
The  plan  establishes  and  expands 
cyber  Cl  education  and  aware¬ 
ness  programs  and  workforce 
development  to  integrate  Cl  into 
all  cyber  operations  and  analysis, 
increase  employee  awareness 
of  the  threat,  and  increase  col¬ 
laboration  across  the  government. 
The  cyber  Cl  plan  is  aligned  with 
the  National  Counterintelligence 
Strategy  of  2007  and  supports 
the  other  programmatic  elements 
of  the  CNCI. 

-Bill  Brenner 


12  www.csoonline.com  May  2010 


Photo  courtesy  of  the  White  House 


TRUST 

DEFINED 

Many  security  companies  talk 
about  "Trust,"  but  not  all  data 
protection  is  created  equal. 
Whether  stored  on  a  device, 
in  a  data  center  or  transmitted 
in  the  cloud,  PGP®  solutions  for 
email,  endpoint,  file  and  server 
protection  scale  to  more  platforms 
so  you  can  protect  data  wherever 
it  lives.  With  PGP  Corporation  as 
your  partner,  protecting  the  value 
of  your  sensitive  data  has  never 
been  easier  and  more  trusted. 

For  more  information  contact  PGP 
Corporation  at  + 1  (888)  515  4920  or 
visit  us  at  www.pgp.com 

PGP 

www.pgp.com 


I 


>>  BRIEFING 


Security 

Wisdom 

Watch 


Thumbs  both  ways:  Apple.  The 
Steve  Jobs  empire  made 
a  smart  move  by  hiring 
Window  Snyder  as  its  new 
senior  product  manager 
for  security  and  privacy. 

She  has  played  a  key  role  in 
improving  security  at  both  Microsoft 
and  Mozilla.  She’ll  do  a  world  of  good 
at  Apple— if  the  company  follows  her 
lead. 

Thumbs  down:  Zscaler’s  Julien 
Sobrier.  Sobrier  is  a  super¬ 
smart  researcher  we’ve  come  to 
respect  and  trust.  But  we  don’t 
agree  with  his  suggestion  that  the 
URL-shortening  security  risk  is  over¬ 
blown.  We’ve  seen  too  much  proof  to 
the  contrary  already. 

Thumbs  up:  Software 
developers.  Errata  Security 
conducted  a  survey  on  software 
security  assurance  and  found, 
among  other  things,  that  the  most 
popular  formal  software  security- 
assurance  methodology  was  the 
Microsoft  SDL,  followed  closely  by 
Microsoft’s  SDL-Agile.  In  the  bigger 
picture,  though,  the  survey  results 
show  a  lot  more  code  writers  worry¬ 
ing  about  security  at  the  very  begin¬ 
ning  of  the  process. 

Thumbs  down:  Location-based 
social  networking:  Twitter  now 
gives  the  exact  location  you’re 
tweeting  from  if  you  allow  it. 
People  are  increasingly  attached 
to  services  like  Foursquare.  We  think 
these  things  are  excellent— if  you 
really  do  want  to  be  stalked,  kid¬ 
napped  or  worse. 


-B.B. 


INFOSEC  BUDGETS 


SaaS,  Security  and  the 
Cloud:  It’s  All  About  the  Contract 


Security  practitioners  have  learned  the  hard  way  that  contract 
negotiations  are  critical  if  they  want  to  reach  their  SaaS  goals 


The  term  “software  as  a  service”  (SaaS)  has  been  around  a  long  time.  The  term  “cloud”  is 
still  relatively  new  to  many  people.  Putting  them  together  has  meant  a  world  of  hurt  for 
many  enterprises,  especially  when  trying  to  integrate  security  into  the  mix. 

During  a  joint  panel  discussion  hosted  by  CSO  Perspectives  2010  and  SaaScon  2010 
last  month,  five  guys  who’ve  been  there  before  sought  to  help  attendees  avoid  the  same 
ordeal.  Perhaps  the  most  important  lesson  they  imparted  is  that  contract  negotiations 
between  providers  are  everything.  The  problem  is  that  you  don’t  always  know  which  ques¬ 
tions  to  ask  when  the  paperwork  is  being  written.  Add  to  that  the  basic  misunderstandings 
companies  have  regarding  what  the  cloud  is  all  about,  says  Jim  Reavis,  cofounder  of  the  Cloud 
Security  Alliance  (CSA).  “It’s  important  we  understand  there  isn’t  just  one  cloud  out  there.  It’s 
about  layers  of  services,"  Reavis  says.  “We’ve  seen  an  evolution  where  SaaS  providers  ride 
atop  the  other  layers,  delivered  in  public  and  private  clouds.” 

Security  vendors  can  be  part  of  the  problem.  In  a  recent  CSO  article  about  mistakes  one 
vendor  made  in  the  cloud,  Nils  Puhlmann,  another  cofounder  of  the  CSA  and  previously  CISO 
for  such  entities  as  Electronic  Arts  and  Robert  Half  International,  noted  that  the  vendor,  who 
was  not  named,  did  “everything  you  can  possibly  do  wrong”  when  rolling  out  the  latest  ver¬ 
sion  of  its  SaaS  product,  leading  to  users  uninstalling  its  solution  in  large  numbers. 

Customers  using  a  particular  version  of  the  SaaS  product  were  caught  unawares  when  the 
vendor  decided  to  roll  out  a  new  version  through  the  cloud.  It  was  done  in  such  a  way  that,  at 
the  moment  of  the  upgrade,  any  new  endpoint  that  was  added  to  be  managed  automatically 
got  the  new  version.  Customers  were  not  asked  or  notified,  and  were  forced  into  a  mixed- 
version  environment  as  a  result.  Keith  Waldorf,  VP  of  operations  at  Doctor  Dispense,  a  point- 
of-care  medication  and  e-prescription  dispensing  provider,  says  one  of  his  company’s  most 
painful  experiences  in  this  area  was  on  the  contract  side.  “The  lack  of  common  standards 
really  surprised  us,”  he  says.  In  2005,  Doctor  Dispense  started  running  its  own  virtual  envi¬ 
ronment.  The  company  knew  it  couldn’t  manage  it  alone,  but  had  to  burn  through  five  service 
providers  to  find  the  right  one.  One  challenge,  Waldorf  says,  is  that  every  vendor  seems  to  do 
things  differently-there’s  no  common  framework.  “We  thought  the  fine  print  in  the  contracts 
had  no  real  relevance,  but  that  thinking  ultimately  came  back  to  bite  us,”  he  says.  The  com¬ 
pany  ran  into  trouble  migrating  to  a  new  platform.  When  switching  from  one  service  provider 
to  the  next,  the  company  would  find  the  old  provider  still  trying  to  attempt  network  log-ins. 

Another  challenge,  Reavis  says,  is  that  cloud  providers  aren’t  always  good  at  furnishing 
the  log  information  that’s  critical  during  a  data-breach  investigation.  “A  contract  with  very 
clear  provisions  on  the  level  of  logging  required  of  the  provider  is  very  important,”  he  says. 

-B.B. 


14  www.csoonline.com  May  2010 


Illustration  by  Veer 


>>  BRIEFING 


RISK  MANAGEMENT 

Enterprise  Risk  Management:  All  Systems  Go 

ERM  might  seem  a  lofty  concept,  but  here’s  an  example  of 
turning  it  into  specific  systems  and  projects  that  reduce  risk 


When  Bill  Badertscher  arrived  at  Georgetown  University  three 

years  ago,  campuswide  security  was  handled  in  several  depart¬ 
ments  with  little  coordination  among  teams.  It  was  time  for  a 
change.  Badertscher  is  Georgetown’s  senior  engineer  for  facil¬ 
ity  and  safety  control  systems  and  leader  of  a  new  IT  team  that  focuses 
on  the  same  areas.  The  goal  is  to  address  enterprise  risk  management 
(ERM)  by  redefining  it  to  include  nontraditional  systems.  Understanding 
that  security  is  mission-critical  has  led  the  University  Safety  and  Infor¬ 
mation  Services  departments  to  work  together  in  unprecedented  ways. 

Badertscher  spoke  with  CSO  about  the  program,  as  well  as  the 
challenges  and  changes  he’s  encountered  in  bringing  Georgetown’s  ERM 
strategy  into  the  21st  century. 

CSO:  Let’s  start  with  an  overview  of  where  Georgetown’s  ERM 
program  was  before  you  came  on  board.  What  were  some  of  your 
first  steps  when  you  started  in  your  current  role? 

Bill  Badertscher:  Georgetown  had  experienced  several  significant 
security  project  failures  and  data  security 
breaches.  So  at  a  high  level,  it  was  recognized 
that  a  strategy  was  needed  to  address  systems 
in  the  facilities  and  security  spaces.  That 
strategy  was  led  by  our  CIO  Dave  Lambert 
and  resulted  in  the  formation  of  several  new 
groups  within  IT. 

When  I  first  came  on  board,  a  budget  was 
established  to  immediately  replace  some 
legacy  systems,  including  access  control  and 
video  surveillance.  However,  early  assess¬ 
ments  identified  a  much  wider  range  of  needs; 
initial  wish  lists  totaled  more  than  $60  million 
in  new  spending.  That  level  of  funding  isn’t 
available,  so  it’s  been  key  to  do  risk  assess¬ 
ments  to  prioritize  our  needs.  These  have 
focused  our  efforts  on  access  control,  video 
surveillance,  emergency  response  and  fire-protection  systems. 

What  are  some  changes  you’ve  made? 

Georgetown  recognized  early  on  the  need  for  IT  to  take  a  leader¬ 
ship  role  in  the  replacement  of  departmental  systems  and  independent 
cabling  networks.  Our  data  network  has  sufficiently  matured  to  accom¬ 
modate  the  power  and  communication  needs  of  security  and  other  sys¬ 
tems.  This  is  important  because  nearly  all  new  systems  today  interface 
with  the  data  network.  Our  philosophy  is  to  leverage  the  data  network 
as  much  as  possible  and  closely  manage  data  security  along  the  way. 

Our  ERM  program  is  not  just  about  facility  and  security  control 
systems.  Along  with  my  group,  we  have  new  groups  responsible  for 
scholarly  information  systems;  research  and  regulatory  administration; 
data  security  and  policy;  and  advancement.  So  it’s  not  just  my  group.  It’s 
actually  a  collection  of  new  initiatives  that  are  reaching  out  across  the 
university  to  address  enterprise  risk.  That  includes  facility  and  security 
control  systems,  but  a  lot  of  others  as  well. 


What  have  been  some  of  the  bigger  challenges  along  the  way? 

One  of  the  bigger  challenges  when  I  got  to  Georgetown  was  the  roles 
and  responsibilities  issue.  In  a  very  siloed  environment,  facilities  have 
their  own  administration  and  they  are  very  independent.  So  one  of  the 
immediate  reactions  was  a  lot  of  defensiveness  among  the  folks  in  the 
departments  wanting  to  know  why  information  systems  was  stepping 
into  what  they  thought  of  as  their  turf. 

As  a  result,  there’s  been  a  lot  of  education.  We  specifically  are  not 
trying  to  take  over  operations  in  those  spaces,  but  we  need  to  under¬ 
stand  what  their  business  needs  are  so  we  can  put  the  proper  technol¬ 
ogy  in  place  to  meet  those  business  needs. 

We’ve  come  up  with  a  simplified  model.  The  business  units  describe 
to  us  what  they  need,  and  then  we  describe  how  that  is  accomplished 
through  technology.  That’s  been  very  successful  in  helping  to  communi¬ 
cate  to  key  stakeholders  that  we  are  actually  partners. 

You  say  legal  principles  are  a  driving  force  in  your  ERM 

strategy.  Can  you  explain  what  you  mean? 

It  goes  back  to  prioritizing  our  risks.  A  lot 
of  security  spending  decisions  are  made  on 
an  emotional  basis  or  in  response  to  incidents. 
But  at  the  end  of  the  day,  the  most  signifi¬ 
cant  risks  we  face  are  incidents  that  lead  to 
lawsuits  or  have  a  negative  impact  on  our 
reputation.  Like  our  peers,  Georgetown  has 
defended  against  its  share  of  lawsuits  and  has 
endured  scrutiny  by  the  media  and  parents. 

A  key  element  that  comes  into  play,  for  us,  is 
understanding  due  care,  which  is  the  care  that 
a  reasonable  person  would  exercise  under 
the  circumstances.  Further,  we  practice  due 
diligence  to  make  sure  the  security  controls 
we  put  in  place  are  effectively  operationalized 
and  maintained. 

There  is  also  the  matter  of  foreseeability.  For  example,  if  students 
were  getting  assaulted  in  particular  areas  of  the  campus,  we  can’t  turn 
a  blind  eye  to  those  incidents.  There  is  a  lot  of  established  case  law  that 
outlines  what  universities  should  be  doingto  protect  parking  lots,  for 
example,  or  residence  halls.  So  we  have  to  make  sure  we  are  evaluating 
what  our  peers  are  doing  and  staying  on  top  of  best  practices.  The  very 
real  connection  between  what  we  are  doing  and  how  well  it  mitigates 
our  risk  is  based  on  the  legal  consequences  of  what  we  do. 

Various  stakeholders  across  the  university  have  their  own  ideas 
about  what  good  security  means.  Some  people  want  to  put  card  readers 
everywhere.  Some  people  want  to  put  cameras  everywhere.  And  some 
don’t  want  either.  We  base  our  decisions  on  a  clear  understanding  of  the 
risks  involved.  This  includes  identifying  our  assets  and  assessing  the 
threat  environment  and  our  vulnerabilities-and  then  communicating 
our  plans. 

-Joan  Goodchild 


16  www.csoonline.com  May  2010 


Photo  courtesy  Wikimedia  Commons 


verizgn 


You  have  plenty 
of  things  to  worry  about. 

Sensitive  data  roaming  the 
world  shouldn't  be 
one  of  them. 


Secure,  global  IT  and  Communications  solutions  for  a  more  agile  business. 

Mobile  workers  crisscrossing  the  world.  Suppliers  on  numerous  continents.  Vast,  amounts  of 
machine  and  device  data  wirelessly  gathered  and  shared,  every  minute  of  every  hour.  And  to 
stay  competitive,  you  must  step  it  up.  Partnering  with  Verizon  helps.  From  securing  mobile 
access  to  backend  data  to  security  assessments,  our  global  risk  management  solutions  can 
provide  the  confidence  to  move  ahead  quickly,  aggressively,  almost  anywhere. 

Verizon:  connecting  systems,  machines,  ideas,  and  people  worldwide  for 
altogether  better  outcomes,  verizonbusiness.com 


altogetherbetter 


©  2010  Verizon.  All  Rights  Reserved. 


By  Neil  Roiter 


/ 


Fire  Control 


Automated  firewall  audit  products  cut  compliance  down  to  size,  optimize 
bloated  and  redundant  rule  sets,  and  improve  change-management  processes 


18  www.csoonline.com  May  2010 


Illustration  by  Adam  Nickel 


Firewall  audit  tools  automate  the 
otherwise  all-but-impossible 
task  of  analyzing  complex  and 
bloated  rule  sets  to  verify  and 
demonstrate  enterprise  access 
controls  and  configuration  change-man¬ 
agement  processes. 

Although  the  market  has  been  driven  by 
compliance— it  was  essentially  created  by 
PCI  DSS— these  tools  can  also  allow  orga¬ 
nizations  to  improve  network  performance, 
reduce  downtime,  improve  security  and 
reassign  staff  from  shooting  down  firewall 
issues  and  analyzing  configurations  to  tak¬ 
ing  on  tasks  that  help  grow  the  business. 

The  problems  are  familiar  to  organiza¬ 
tions  of  all  sizes— from  those  with  just  one 
or  two  overtaxed  and  inefficient  firewalls, 
to  large,  distributed  enterprises  with  scores 
or  hundreds  of  firewalls  administered  by 
many  business  units,  often  all  following 
different  policies  that  may  have  been  writ¬ 
ten  before  the  units’  acquisitions. 

Not  long  ago,  200-300  rules  was  con¬ 
sidered  excessive.  Now,  it’s  not  unusual  for 
firewalls  to  have  many  hundreds  or  even 
thousands  of  rules,  many  of  which  were 
rendered  obsolete  when  IT  operations 
added  new  rules  to  meet  business  requests 
but  neglected  to  remove  any  old  ones.  Ana¬ 
lyzing  configurations  for  a  few  firewalls, 
let  alone  hundreds,  has  grown  beyond  the 
capacity  of  human  computation. 


Key  Benefits  and  Use  Cases 

BUSINESS  EFFICIENCY  AND  security 
may  be  the  goals,  but  regulatory  require¬ 
ments  frequently  open  up  the  budget.  The 
firewall  audit  market,  pegged  by  Forrester 
Research  at  $25  million  to  $30  million  in 
2009,  is  fueled  by  PCI  DSS  requirements  to 
review  firewall  and  router  configurations 
every  six  months.  These  controls  also  typi¬ 


cally  come  under  scrutiny  during  internal, 
partner  and  other  regulatory  audits. 

Enterprises  exhaust  countless  man¬ 
hours  analyzing  firewall  and  router  con¬ 
figurations  to  produce  audit  reports,  only 
to  realize  that  they  do  not  have  a  firm  grasp 
on  their  network  access  controls  and  the 
change-management  processes  that  enable 
them. 


websense 


ESSENTIAL  INFORMATION  PROTECTION™ 


websense* 


TRITON 


Protecting  sensitive  data  is  made  simple  with  Websense5  TRITON™ - 
the  first  and  only  unified  Web,  data,  and  email  security  solution... 
Making  point  solutions  pointless. 

The  TRITON  architecture  combines  industry-leading  Web,  email  and  data  loss 
prevention  security  technologies  into  a  unified  solution,  providing  the  best 
protection  against  modern  threats  at  the  lowest  total  cost  of  ownership. 
Websense  prevents  the  loss  of  sensitive  data  so  that  your  team  can  share 
information  confidently  without  risks. 

To  learn  more,  visit  www.websense.com/csomag. 


>> TOOLBOX 


Big-Picture 
Risk  Assessment 

Generally  speaking,  firewall  audit  tools  evaluate  individual  firewalls, 
even  if  they  can  do  so  for  hundreds  of  them.  Some  are  slowly  mov¬ 
ing  toward  a  more  networkwide  risk-assessment  approach  and  the 
ability  to  evaluate  not  only  each  device,  but  how  devices  relate  to 
one  another-their  mutual  dependencies  across  the  network. 

SkyBox  Security  and  RedSeal  Systems,  on  the  other  hand,  offer 
precisely  this  type  of  enterprise-grade  network  risk-assessment  product. 
They  map  networks  and  analyze  configuration  flaws,  unpatched  vulner¬ 
abilities  and  access  routes-even  those  that  were  created  unintention- 
ally-between  network  assets.  Security  managers  can  run  sophisticated 
models  to  identify  security  exposures  and  evaluate  risk  based  on  the 
assigned  value  of  the  asset  and  what  kind  of  vulnerabilities  it  has. 

“Some  servers  are  more  important  than  others,”  says  Ryan  Trost, 
director  of  security  and  data  privacy  officer  for  Reston,  Va.-based 
Comprehensive  Health  Services,  a  RedSeal  customer.  “Some  can  easily 
be  rebuilt,  but  for  others  even  a  second  of  offline  or  down  time  starts  to 
affect  normal  business  processes.” 

Trost  said  that  risk  assessment,  especially  at  audit  time,  was  daunting 
in  an  environment  of  just  under  200  servers,  requiring  weeks  of  review¬ 
ing  firewall  access  control  lists,  switch  configurations  and  600  pages  of 
vulnerability  scan  reports. 

“The  risk-management  software  sucks  [in]  everything,  analyzes  it  and 
does  prioritization  for  me,”  says  Trost.  “It’s  become  the  cornerstone  of 
our  security  posture.” 

Skybox  and  RedSeal  both  got  a  foot  in  the  firewall  audit  market  when 
PCI  DSS  opened  the  door.  SkyBox  includes  a  firewall  audit  product  in  its 
suite.  RedSeal  positions  itself  as  a  risk-management  company,  but  its 
software  can  also  be  used  for  firewall  audit. 

While  the  firewall  audit  vendors  “are  trying  to  push  upstream  a  little,” 
says  John  Kindervag,  senior  analyst  at  Forrester  Research,  the  market 
for  what  he  calls  “network  threat  mitigation  technologies”  is  unclear, 
as  enterprises  need  to  be  educated  and  vendors  have  to  sell  potential 
customers  on  their  value  at  a  price  that  makes  sense. 

“The  products  themselves  are  quite  phenomenal  in  many  respects,” 
hesays.“lnaperfectworld,everyonewouldhaveatool  like  this."  -N.R. 


“How  do  you  demon¬ 
strate  that  a  2,000-rule  set 
is  robust  and  secure?”  says 
a  security  officer  for  a  tele¬ 
communications  company, 
which  uses  SkyBox  Secu¬ 
rity’s  SkyBox  Assure  solu¬ 
tion.  “It’s  impossible  to  do 
manually.” 

These  automated  tools 
run  complex  algorithms  that 
evaluate  the  actual  rules 
against  corporate  policies 
and  best  practices  to  iden¬ 
tify  gaps,  verify  changes  and 
produce  audit  reports.  They 
enable  organizations  to  ver¬ 
ify  and  document  the  entire 
configuration-management 
lifecycle  to  demonstrate 
to  auditors  that  practice 
follows  policy,  and  that 
changes  were  completed 
as  authorized  and  grant  the 
intended  access. 

“There’s  nothing  more 
embarrassing  or  devastat¬ 
ing  to  an  organization  than 
when  you  tell  an  auditor, 

‘This  is  how  we  do  it,’  and 
when  they  look,  there  is 
no  semblance  of  what  you 
said,”  says  Jeff  Sherwood, 
principal  security  strategist 
for  H&R  Block,  a  Secure 
Passage  customer.  “Now 
we  can  come  out  of  the  gate 
and  say,  ‘This  is  what  we  do 
and  here  is  proof  we  do  it.’” 

While  compliance  auto¬ 
mation  may  be  sufficient 
justification  for  their  implementation,  fire¬ 
wall  audit  tools  also  offer  tangible  business 
benefits  that  go  beyond  surviving  the  audit 
ordeal. 

Performance  and  Optimization:  This  is 
a  prime  function  of  all  these  tools.  Firewall 
performance  degrades  because  excessive 
rules  eat  up  CPU  cycles,  and  critical  access 
rules  are  situated  too  far  down  in  the  hier¬ 
archy  because  when  additions  were  made, 
the  focus  was  on  speed  of  implementation, 
rather  than  on  optimizing  the  configura¬ 
tion.  Firewall  audit  tools  clean  up  redun¬ 
dant  rules  and  requests  for  service  that 
have  already  been  enabled,  and  flag  rules 


that  apply  to  objects  that  are  no  longer  in 
use  or  even  in  existence. 

Optimizing  firewalls  and  network 
devices  can  improve  performance  problems 
that  companies  might  otherwise  have  had 
to  throw  new  hardware  at.  Benefits  will  be 
even  more  noticeable  as  traffic  increases. 

Business  Continuity:  Performance  and 
optimization  issues  can  seriously  slow  or 
even  bring  down  critical  business  pro¬ 
cesses.  This  costs  the  business  not  only  rev¬ 
enue,  but  also  the  man-hours  it  must  spend 
to  deal  with  the  problems. 

“Before,  our  team  was  heavily 
weighted— 30  percent  of  their  time— to 


firefighting,  toward  fault 
analysis  and  fault  fixing,” 
says  Colin  Miles,  corporate 
network  manager  for  U.K.- 
based  Virgin  Media,  a  Tufin 
Technologies  user  with  a 
network  infrastructure 
that  includes  more  than  too 
firewall  pairs.  “Since  Tufin 
was  implemented,  that’s 
turned  to  proactive  capa¬ 
bility,  rule-based  efficiency 
and  optimization  of  the 
network,  driving  toward 
people  savings.” 

Security:  Complex 
configurations  make  secu¬ 
rity  analysis  very  difficult. 
Obsolete  or  misconfigured 
rules  can  be  exploited  to 
give  attackers  access  to  sen¬ 
sitive  data.  Firewall  admin¬ 
istrators  under  pressure  to 
fulfill  business  requests  are 
likely  to  err  on  the  side  of 
granting  too  much  access 
rather  than  too  little.  Fire¬ 
wall  audit  tools  improve 
security  by  determining 
optimal  rules  and  detecting 
unused  and  misconfigured 
rules. 

Firewall  Upgrade  and 
Migration:  Upgrading  fire¬ 
walls  and  consolidating 
onto  fewer  platforms  cre¬ 
ate  excellent  opportunities 
for  organizations  to  use  an 
audit  tool.  It’s  a  good  time 
to  cost-justify  configura¬ 
tion  cleanup  and  firewall 
optimization,  rather  than  carrying  over 
the  old  infrastructure’s  issues.  Since  these 
products  support  multiple  firewall  plat¬ 
forms,  they  are  well-suited  for  consolida¬ 
tion,  streamlining  the  configurations  on 
each  and  translating  them  onto  the  new 
platform.  Virgin  Media,  for  example,  con¬ 
solidated  from  numerous  legacy  platforms 
brought  over  through  corporate  acquisition 
to  Check  Point  firewalls  for  its  dynamic 
environments  and  Cisco  for  more  static 
conditions. 

Change  Management:  Change-manage¬ 
ment  policies  and  processes  can  fall  short 
when  requests  are  made  out-of-band,  which 


20  www.csoonline.com  May  2010 


8th  Annual 


Alta  Associates’ 

Executive 
Women’s  Forum 

Information  Security,  Risk  Management  &  Privacy 


October  20-22,  201 0  Hyatt  Regency  at  Gainey  Ranch  Scottsdale,  AZ 


Manage  Risk  and  Drive  Innovation 


ROI: 


The  8th  annual  Executive  Womens  Forum  brings  together  more  than  200  women  of  influence, 
power  and  intelligence  who  are  leading  experts  in  their  field  Hosted  by  Alta  Associates,  Inc 


Earn  17  CPE  Credits 

Build  a  Network  of  the  Most  Dynamic  Women  in  Our  Industry 
Take  Home  Tools,  Templates  &  Solutions  to  Achieve  Success 
Expand  Your  Expertise  &  Capabilities 


IMS 


i* 


PM 


I  : 


Women  of  Influence  Awards 

Nominate  your  peers,  clients  and  customers  for  the 
Women  of  Influence  Awards.  Co  presented  by  CSO 
Magazine  and  Alta  Associates,  the  awards  honor  four 
women  for  their  accomplishments  and  leadership 
roles  in  the  fields  of  security,  risk  management  and 
privacy, 

Winners  will  be  announced  at  an  awards  ceremony 
during  the  EWF  event. 

NOMINATION  FORM  AVAILABLE  AT: 

www.ewf-usa.com 

Must  be  submitted  by  August  31, 2010 


Panels  Include: 

•  Master  Class— Cloud  Computing  &  Access  and  Identity  Management 

Workshop  developing  decision  making  skills  on  choosing  to  leverage  the  cloud  or  your  own 
internal  resources 

•  Transforming  Risk  &  Security  Services  from  “Cost-Center”  to  “Profit  and 
Revenue-Enabling  Center”  Learn  how  risk  and  security  managers  use  technology  as  a 
differentiator  to  promote  customer  confidence  and  drive  revenue 

•  Data  Protection:  Regulatory  and  Privacy  Challenges  Regulators  and  privacy 
experts  reveal  impacts  and  implications  of  regulations  and  compliance  related  to  data  protection 

•  Information  Security,  Privacy  &  Risk  Management:  From  Research  to  Practice 

Academic  and  research  thought  leaders  showcase  cutting  edge  solutions  and  their  implications 
to  industry  practice 

•  Social  Networking  2.0:  Privacy  Implications  for  Individuals  and  Industry 

Social  networking  and  privacy  experts  discuss  emerging  privacy  considerations  of  the  intersection 
between  social  networking,  targeted  advertising,  and  the  unintended  picture  it  can  paint 

•  Balancing  Risk  with  Innovation  Innovation  creates  risk  as  do  new  technologies.  Discover 
ways  to  leverage  emerging  technologies  while  managing  the  risky  business  of  innovation. 


MEDIA  SPONSOR 
&  AWARDS 

co-presenter: 


CSO 


FORUM  HOST 
&  AWARDS 

co-presenter: 


DIAMOND  SPONSORS 


Symantec, 


•  • 


Information  Networking  Institute 

Carnegie  Mellon 


Microsoft 


For  more  information  on  the  EWF  or  to  register,  please  visit:  www.ewf-usa.com 


>>  TOOLBOX 


Firewall  Audit  Tools 


COMPANY 

PRODUCTS 

DESCRIPTION 

AlgoSec 

www.algosec.com 

Firewall  Analyzer 

Performs  firewall  risk-management 
analysis,  automated  audit,  optimization 

FireFlow 

Automates  change-management 
workflow 

Athena  Security 

http://athenasecurity.net 

FirePAC 

Performs  rule-base  assessment,  cleanup 
and  validation 

Verify 

Performs  network  mapping  and  access 
analysis 

Secure  Passage 

http://securepassage.com 

FireMon 

Performs  firewall  analysis,  change  control 
and  compliance 

RedSeal  Systems 

www.redseal.net 

Network  Advisor 

Continuously  monitors  firewalls  and 
network  devices  to  assess  enterprise 
security  posture 

Vulnerability  Advisor 

Adds  vulnerability  data  to  Network 

Advisor  scans  to  assess  and  prioritize  risk 

Skybox  Security 

http://skyboxsecurity.com 

Firewall  Compliance 

Auditor 

Performs  on-demand  firewall  audit  and 
risk  assessment 

Network  Compliance 
Auditor 

Evaluates  large  networks  for  access 
compliance,  availability  and  security  risk 

Risk  Exposure  Analyzer 

Creates  visual  models  of  potential 
network  risk  and  attack  scenarios 

Tufin  Software 
Technologies 

www.tufin.com 

SecureTrack 

Performs  firewall  and  network  device 
change  management  and  optimization 

SecureChange  Workflow 

Performs  change  automation,  security 
process  management  and  risk  analysis 

happens  when  either  someone  fails  to  fol¬ 
low  procedure  or  there’s  an  urgent  need  to 
enable  or  restore  service  for  critical  business 
processes.  Several  vendors  have  comple¬ 
mentary  workflow  products  that  automati¬ 
cally  document  all  configuration  changes 
and  reconcile  them  with  ticketing  systems. 

Dos  and  Don’ts 

THESE  PRODUCTS  ARE  maturing,  but 
firewall  audit  is  still  a  relatively  young,  small 
market,  defined  by  compliance  require¬ 
ments.  You  have  a  fairly  limited  choice  of 
vendors,  including  Tufin  Software  Technol¬ 
ogies,  AlgoSec,  Secure  Passage  and  Athena 
Security,  which  all  come  with  firewall  audit 
pedigrees,  and  RedSeal  Systems  and  Sky- 
box  Security,  which  are  primarily  vendors 
of  risk-mitigation  tools,  and  so  go  beyond 
firewall  audit  to  feature  sophisticated  risk- 
assessment  and  risk- management  capabili¬ 
ties  (see  “Big-Picture  Risk  Assessment”). 
Take  the  time  to  define  your  requirements, 
narrow  down  your  choices  and  put  candi¬ 
dates  to  the  test. 

DO  look  at  platform  and  device  cover¬ 
age.  These  products  generally  support  all 
the  major  firewall  vendors  and  some  oth¬ 
ers,  as  well  as  major  network  devices,  so 
you  should  be  covered.  Take  both  present 
and  future  needs  into  account.  For  example, 
you  may  run  a  single  platform  across  the 
organization  now,  but  future  acquisitions 
may  run  on  other  vendors’  infrastructures. 
These  tools  should  be  able  to  help  whether 
you  plan  to  migrate  onto  a  single  platform 
or  continue  to  manage  several  while  still 
realizing  the  efficiencies  they  promise.  See 
if  the  vendor  has  a  software  development 
kit  that  can  allow  it  to  integrate  with  unsup¬ 
ported  platforms. 

Check  that  coverage  for  network  devices 
is  included.  There  are  a  couple  of  consider¬ 
ations  here.  First,  it  may  be  important  to 
you  to  clean  up  and  optimize  access  control 
lists  on  your  routers,  and  second,  routers 
are  increasingly  featuring  more  built-in 
security  capabilities. 

DON’T  overlook  scalability.  Those 
vendors  that  focus  largely  on  enterprise 
deployments  claim  they  can  scale  up  to 
thousands  of  devices.  Determine  what  that 
actually  means  in  terms  of  management 
and  the  ability  to  perform  under  stress. 

“In  addition,  the  magnitude  of  environ¬ 
ment  brings  huge  demands  on  technology 


and  methods  that  can  be  used,”  says  the 
telecommunications  company  security 
officer.  “What  in  a  smaller  company  can 
be  rock  solid  may  not  be  applicable  in  a  big 
environment.  You  need  be  cautious  about 
the  limitation  of  technology.” 

Choose  with  growth  in  mind.  Even  if 
a  product  scales  to  your  current  require¬ 
ments,  how  well-suited  is  it  to  meet  greater 
demands  as  the  business  grows,  services 
are  added,  acquisitions  are  integrated  and 
traffic  increases? 

DON’T  buy  more  than  you  need.  Some 
of  these  products  are  aimed  at  complex,  het¬ 
erogeneous  environments  with  hundreds 
of  firewalls  and  network  devices.  Measure 
the  tool’s  capabilities  and  cost  against  your 
environment.  If  your  firewall  environment 
is  relatively  simple  and  static  and  your  traf¬ 
fic  is  fairly  predictable,  choose  a  less-expen¬ 
sive  product  that  you  can  apply  initially  for 
your  optimization  project  and  periodically 
to  keep  your  firewalls  under  control. 

DO  put  these  products  to  the  test  once 
you  narrow  your  choices  to  those  that  claim 
to  meet  most  of  your  requirements. 

“Pick  two  or  three  of  your  favorites  and 
bake  them  off  in  real-world  situations,”  says 
John  Kindervag,  senior  analyst  at  Forrester 


Research.  “The  nice  thing  about  firewall¬ 
auditing  products  is  that  you  can  test  them 
on  a  live  production  environment  because 
they  are  passive  tools.” 

Kindervag  recommends  testing  how 
well  they  do  at  finding  unused  rules,  opti¬ 
mizing  configurations  and  so  on,  then  com¬ 
paring  reports. 

“Run  the  results  by  your  firewall  guru  or 
bring  in  one  who  can  say,  ‘Yes,  that’s  a  good 
rule  change,”’  he  says. 

You  can  also  determine  whether  they 
actually  scale  and  deliver  analysis  at  the 
speeds  they  claim  and  what  kind  of  hard¬ 
ware  they’d  require. 

DO  determine  your  reporting  require¬ 
ments  and  evaluate  the  products’  capabili¬ 
ties  accordingly.  Audit  reports  should  come 
first  and  foremost  for  most  organizations. 
Evaluate  the  quality  of  summary  reports— 
are  they  sufficient  to  prove  that  your  control 
policies  are,  in  fact,  carried  out? 

Also,  make  sure  that  you  can  produce 
satisfactory  reports  on  demand  in  response 
to  specific  auditor  queries.  Some  products 
offer  regulation-specific  reports,  usually 
for  PCI  DSS,  which  may  be  useful. 

Since  these  are  management  tools, 
you’ll  want  to  see  useful  operational  report- 


22  www.csoonline.com  May  2010 


ing  that  quickly  lets  you  see  what  has  been 
done  and  what  needs  to  be  addressed. 
Make  sure  the  reports  deliver  the  infor¬ 
mation  you  want  at  the  level  of  detail  you 
need.  For  example,  rule  usage  can  change 
over  time.  A  rule  that  was  optimally  placed 
at  first  may  become  a  bottleneck  as  it’s  hit 
with  more  and  more  traffic,  and  may  need 
to  be  moved  up  in  the  hierarchy. 

Finally,  high-level  reports  can  demon¬ 
strate  overall  improvements  in  efficiency 
and  security,  as  well  as  highlight  which 
business  units  may  be  lax  in  properly  man¬ 
aging  their  networks. 

DO  consider  workflow  integration.  Most 
vendors  offer  complimentary  workflow 
products  to  integrate  their  core  capabilities 
with  change-management  workflow  tools, 
such  as  ticketing  systems.  This  may  not  be 
important  if  your  organization  has  a  well- 
defined  process  and  supporting  tools,  either 
homegrown  or  commercial.  But  some  com¬ 
panies  find  this  capability  useful  in  automat¬ 
ing  their  change-management  programs. 


DON’T  give  short  shrift  to  hardware, 
especially  if  you  are  running  one  of  these 
products  in  a  virtual  environment  in  which 
resource-sharing  may  be  an  issue. 

Make  sure  you  have  enough  CPU  and 
memory  muscle  to  support  the  product 
under  live  conditions,  and  make  provisions 
for  growth  as  traffic  increases. 

Alternatively,  you  could  go  with  one  of 
the  three  appliance-based  solutions  Tufin 
offers  in  addition  to  its  software. 

DO  review  and  refine  your  policies  and 
procedures  before  buying  and  deploying  a 
firewall  audit  product. 

Enterprise  IT  governance  and  infor¬ 
mation  security  is  built  on  well-defined 
policies  and  processes.  Technological  tools 
reduce  error,  improve  efficiency  and  auto¬ 
mate  analysis  that  frustrates  manual  efforts, 
but  you  won’t  get  their  full  benefit  if  you  are 
simply  throwing  technology  at  a  problem. 
Every  organization  is  different,  but  here  are 
some  basic  guidelines: 

■  Examine  corporate  practices  and  pro¬ 


cedures  across  business  groups  and 
departments.  Make  sure  they  can  be 
applied  across  the  organization  while 
allowing  for  acceptable  deviations  to 
meet  specialized  needs. 

Create  a  process  that  is  documented  at 
each  step  and  holds  each  stakeholder 
accountable. 

Where  possible,  express  requests  in 
terms  of  business  need,  rather  than  in 
narrow  IT  terms. 

Have  a  team  that  evaluates  requests  in 
terms  of  adherence  to  corporate  policy. 
Conduct  both  business-  and  technol¬ 
ogy-based  risk  assessments.  Imple¬ 
mentation  should  be  dependent  on 
passing  the  risk  assessment. 

Test  implementation  for  final  sign-off 
by  both  IT  and  the  business  owner. 
Document. 

Rinse  and  repeat. 


Neil  Roiter  is  a  freelance  writer.  Send  feedback 
to  editor  Derek  Slater  at  dslater@cxo.com. 


DEFEAT  CYBER  CRIMINALS 
AND  YOUR  COMPETITION. 


CYBERSECURSTY 


Sharpen  your  skills  and  give  yourself  a  major  edge  in  the  job  market 
with  a  cybersecurity  degree  from  University  of  Maryland  University 
College  (UMUC).  Our  degrees  focus  on  technical  and  policy  aspects, 
preparing  you  for  leadership  and  management  roles— and  making  you 
even  more  competitive  for  thousands  of  openings  in  the  public  and 
private  sectors.  Courses  are  available  entirely  online,  so  you  can  earn 
your  degree  while  keeping  your  current  job. 


•  Designated  as  a  National  Center  of  Academic  Excellence  in 
Information  Assurance  Education  by  the  NSA  and  the  DHS 

•  Advanced  virtual  security  lab  enables  students  to  combat 
simulated  cyber  attacks 

•  Scholarships,  loans  and  an  interest-free  monthly  payment 
plan  available 


UMUC 

University  of  Maryland  University  College 

Copyright  ©  2010  UMvortlty  of  MoryUnd  University  Collage 


Enroll  now. 


800-888-umuc  •  umuc.edu/cyberspace 


COVER  STORY  I  IT  RISK 


IT  security  remains  a  field  in  search  of  solid  metrics 
and  a  common  language.  Formal  risk-assessment 
frameworks  aim  to  fill  the  gap,  but  how  well  do  these 
methodologies  work  in  the  real  world?  By  Bob  Violino 


SSESSING  AND  MANAGING  risk  is  a  high 
priority  for  many  organizations,  and  given  the 
turbulent  state  of  information  security  vulner¬ 
abilities  and  the  need  to  be  compliant  with  so 
many  regulations,  it’s  a  huge  challenge. 

Several  formal  IT  risk-assessment  frame¬ 
works  have  emerged  over  the  years  to  help  guide  security  and  risk 
executives  through  the  process.  These  include: 

■  Operationally  Critical  Threat,  Asset  and  Vulnerability 
Evaluation  (OCTAVE) 

■  Factor  Analysis  of  Information  Risk  (FAIR) 

■  the  National  Institute  of  Standards  and  Technology’s  (NIST) 
Risk  Management  Framework  (RMF) 

■  Threat  Agent  Risk  Assessment  (TARA),  a  recent  creation 
Here’s  a  look  at  these  key  frameworks  and  some  of  their 

strengths  and  weaknesses,  with  emphasis  on  input  from  those 
who  have  used  them  in  real-world  settings. 


OCTAVE 

OCTAVE,  developed  at  the  CERT  Coordination  Center  at  Carn¬ 
egie  Mellon  University,  is  a  suite  of  tools,  techniques  and  methods 
for  risk-based  infosec  strategic  assessment  and  planning. 


OCTAVE  defines  assets  as  including  people,  hardware,  soft¬ 
ware,  information  and  systems.  There  are  three  models,  including 
the  original,  which  CERT  says  forms  the  basis  for  the  OCTAVE 
body  of  knowledge  and  is  aimed  at  organizations  with  300  or 
more  employees;  OCTAVE-S,  similar  to  the  original  but  aimed  at 
companies  with  limited  security  and  risk- management  resources; 
and  OCTAVE-Allegro,  a  streamlined  approach  to  information 
security  assessment  and  assurance. 

The  framework  is  founded  on  the  OCTAVE  criteria— a  stan¬ 
dardized  approach  to  a  risk-driven  and  practice-based  informa¬ 
tion  security  evaluation.  These  criteria  establish  the  fundamental 
principles  and  attributes  of  risk  management. 

The  OCTAVE  methods  have  several  key  characteristics.  One 
is  that  they’re  self-directed:  Small  teams  of  personnel  across  busi¬ 
ness  units  and  IT  work  together  to  address  the  security  needs  of 
the  organization.  Another  is  that  they’re  designed  to  be  flexible. 
Each  method  can  be  customized  to  address  an  organization’s  par¬ 
ticular  risk  environment,  security  needs  and  level  of  skill.  A  third 
is  that  OCTAVE  aims  to  move  organizations  toward  an  opera¬ 
tional  risk-based  view  of  security  and  addresses  technology  in  a 
business  context. 

Among  the  strengths  of  OCTAVE  is  that  it’s  thorough  and 


24  www.csoonline.com  May  2010 


Illustrations  by  Steve  Traynor 


well  documented,  says  Brooke  Paul,  managing  director  at  Capital 
Informatics  and  former  CSO  at  American  Financial  Group.  “The 
people  who  put  it  together  are  very  knowledgeable,”  says  Paul, 
who  has  evaluated  the  framework  for  clients.  “It’s  been  around  a 
while  and  is  very  well-defined  and  freely  available.” 

Because  the  methodology  is  self-directed  and  easily  modified, 
it  can  be  used  as  the  foundation  risk-assessment  component  or 
process  for  other  risk  methodologies,  says  Ron  Woemer,  security 
systems  analyst  at  HDR,  an  architectural  and  engineering  firm. 
Woerner  says  he’s  used  a  hybrid  of  OCTAVE,  FAIR  and  other 
methodologies. 

“The  original  OCTAVE  method  uses  a  small  analysis  team 
encompassing  members  of  IT  and  the  business.  This  promotes 
collaboration  on  any  found  risks  and  provides  business  leaders 
[with]  visibility  into  those  risks,”  Woerner  says.  “To  be  success¬ 
ful,  the  risk  assessment-and-management  process  must  have 
collaboration.” 

In  addition,  OCTAVE  “looks  at  all  aspects  of  information 
security  risk  from  physical,  technical  and  people  viewpoints,” 
Woerner  says.  “If  you  take  the  time  to  learn  the  process,  it  can 
help  you  and  your  organization  to  better  understand  its  assets, 
threats,  vulnerabilities  and  risks.  You  can  then  make  better  deci¬ 
sions  on  how  to  handle  those  risks.” 

Experts  say  one  of  the  drawbacks  of  OCTAVE  is  its  complex¬ 
ity.  “When  it  shipped,  we  spent  hours  trying  to  understand  what 
it  was  that  this  package  was  going  to  do  for  us,”  says  Adam  Rice, 
global  CSO  and  vice  president  of  managed  security  services  at 
Tata  Communications,  a  provider  of  communications  services. 

“There  was  a  lot  of  time  taken  up  just  trying  to  understand 
what  the  approach  was,  because  it  wasn’t  very  clear  to  me,”  Rice 
says.  “Anything  that  takes  a  lot  of  time  detracts  from  its  use.” 

Paul  adds  that  a  downside  to  OCTAVE  is  that  it  doesn’t  allow 
organizations  to  mathematically  model  risk.  “It’s  a  qualitative 
methodology,  like  most  others  available  today,”  he  says. 

FAIR 

Championed  by  Jack  Jones,  the  former  CISO  of  Nationwide 
Mutual  Insurance,  FAIR  is  a  framework  for  understanding,  ana¬ 
lyzing  and  measuring  information  risk.  According  to  Jones,  infor¬ 
mation  security  practices  to  date  have  generally  been  inadequate 
in  helping  organizations  effectively  manage  information  risk. 

There’s  a  heavy  reliance  on  practitioner  intuition  and  experi¬ 
ence,  industry  lore  and  best  practices,  Jones  notes.  While  these 
are  valuable,  they  don’t  consistently  allow  management  to  make 
effective,  well-informed  decisions. 

FAIR  is  designed  to  address  security  practice  weaknesses. 
The  framework  aims  to  allow  organizations  to  speak  the  same 
language  about  risk;  apply  risk  assessment  to  any  object  or  asset; 
view  organizational  risk  in  total;  defend  or  challenge  risk  deter¬ 
mination  using  advanced  analysis;  and  understand  how  time  and 
money  will  affect  the  organization’s  security  profile. 

Components  of  the  framework  include  a  taxonomy  for  infor¬ 
mation  risk,  standardized  nomenclature  for  information-risk 
terms,  a  framework  for  establishing  data-collection  criteria,  mea¬ 
surement  scales  for  risk  factors,  a  computational  engine  for  cal¬ 
culating  risk  and  a  model  for  analyzing  complex  risk  scenarios. 


May  2010  www.csoonline.com  25 


COVER  STORY  I  IT  RISK 


Nationwide’s  Information  Risk  Management  (IRM)  team  uses 
FAIR  to  perform  risk  assessments.  “The  FAIR  methodology  has 
enabled  our  IRM  professionals  to  perform  risk  assessments  in  a 
consistent  manner,”  says  Chris  Hayes,  a  Nationwide  consultant 
for  risk  modeling  and  optimization. 

Another  plus  is  the  common  language  used.  The  FAIR  vernacu¬ 
lar  allows  the  IRM  team  and  people  from  IT  and  the  business  lines 
to  talk  about  risk  in  a  consistent  manner,  Hayes  says.  “Ultimately, 
we  want  to  be  talking  about  exposure  that  any  given  finding  poses 
to  our  company,”  he  says.  “The  more  business-focused  that  con¬ 
versation  is— especially  when  we  are  talking  in  terms  of  monetary 
exposure— the  more  meaningful  the  discussion  becomes,  which 
should  facilitate  more  effective  decision  making.” 

Paul,  who  uses  FAIR  in  his  consulting  practice  as  part  of 
risk  assessments  for  clients,  says  one  of  the  advantages  of  the 
framework  is  that  it  doesn’t  use  ordinal  scales,  such  as  one-to-10 
rankings,  and  therefore  “isn’t  subject  to  the  limitations  that  go 
with  ordinal  scales,”  Paul  says.  “For  example,  ‘high,  medium  and 
low’  is  an  example  of  an  ordinal  scale,  as  is  ‘red,  yellow  and  green’ 
and  ‘one,  two  and  three.’  We  wouldn’t  begin  to  imagine  that  we 
can  add  or  multiply  two  medium  values,  nor  would  we  add  or 
multiply  yellow  plus  green.  Yet  we  see  many  risk  calculations  in 
our  industry  that  do  exactly  that  when  they  use  addition  and/or 
multiplication  with  numeric  ordinal  scales.” 

FAIR  uses  dollar  estimates  for  losses  and  probability  values 
for  threats  and  vulnerabilities.  Combined  with  a  range  of  values 
and  levels  of  confidence,  it  allows  for  true  mathematical  modeling 
of  loss  exposures,  Paul  says. 

Another  plus  is  that  FAIR  has  more  detailed  definitions  of 
threats,  vulnerabilities  and  risks,  Paul  says.  “Most  of  the  meth¬ 
odologies  have  definitions,  but  stop  at  that  level,”  Paul  says.  FAIR 
has  a  taxonomy  that  breaks  down  the  terms  on  a  more  granular 
level. 

“The  taxonomy  enables  us  to  describe  more  easily  and  cred¬ 
ibly  how  we  arrived  at  our  conclusions,”  Paul  says.  “This  is  useful 
in  demonstrating  rigor  and  mitigating  the  prevailing  impression 
that  our  profession  doesn’t  understand  risk  or  is  basing  recom¬ 
mendations  on  [FUD].” 

As  for  downsides,  FAIR  can  be  difficult  to  use  and  it’s  not  as 
well  documented  as  OCTAVE,  Paul  says.  “It’s  not  as  easy  to  get 
started;  you  can  download  a  lot  of  information  about  OCTAVE,” 
he  says.  “It’s  all  very  thoroughly  put  together  and  easy  for  you  to 
get  up  and  running.  FAIR  lacks  that.” 

Hayes  cites  as  a  shortcoming  of  FAIR  the  lack  of  access  to  cur¬ 
rent  information  about  the  methodology  and  examples  of  how  the 
methodology  is  applied.  “Creative  searching  will  generate  some 
results,  but  the  methodology  itself  still  feels  underground,”  he 
says. 

NIST  RMF 

RMF  outlines  a  series  of  activities  related  to  managing  organiza¬ 
tional  risk.  These  can  be  applied  to  both  new  and  legacy  informa¬ 
tion  systems,  according  to  the  NIST.  The  activities  include: 

■  Categorizing  information  systems  and  the  information 

within  those  systems  based  on  impact. 

■  Selecting  an  initial  set  of  security  controls  for  the  systems 


based  on  the  Federal  Information  Processing  Standards 
(FIPS)  199  security  categorization  and  the  minimum  security 
requirements  defined  in  FIPS  200. 

■  Implementing  security  controls  in  the  systems. 

■  Assessing  the  security  controls  using  appropriate  meth¬ 
ods  and  procedures  to  determine  the  extent  to  which  the 
controls  are  implemented  correctly,  operating  as  intended 
and  producing  the  desired  outcomes  with  respect  to  meeting 
security  requirements  for  the  system. 

■  Authorizing  information  systems  operation  based  on  a  deter¬ 
mination  of  the  risk  to  organizational  operations  and  assets, 
or  to  individuals  resulting  from  the  operation  of  the  systems, 
and  the  decision  that  this  risk  is  acceptable. 

■  Monitoring  and  assessing  selected  security  controls  in 
information  systems  on  a  continuous  basis,  including 
documenting  changes  to  the  systems,  conducting  security- 
impact  analyses  of  the  associated  changes,  and  reporting  the 
security  status  of  the  systems  to  appropriate  organizational 
officials  on  a  regular  basis. 

“Not  only  is  this  framework  valuable  in  assessing  risks,  it  is 
invaluable  in  managing  those  risks,”  says  Ruth  Horaczko,  prac¬ 
tice  leader  of  the  risk  assessment  and  IT  division  of  Lyndon 
Group,  an  IT  and  business  advisory  consulting  firm. 

The  primary  strength  of  RMF  is  that  it  was  developed  by  the 
NIST,  which  is  charged  by  Congress  with  ensuring  that  security 
standards  and  tools  “are  researched,  proven  and  developed  to 
provide  a  high  level  of  information  security  infrastructure,”  Hor¬ 
aczko  says. 


26 


www.csoonline.com  May  2010 


Because  government  agencies  and  the  businesses  that  support 
them  need  their  IT  security  standards  and  tools  to  be  both  cost- 
effective  and  highly  adaptable,  Horaczko  says,  the  framework 
is  constantly  being  reviewed  and  updated  as  new  technology  is 
developed  and  new  laws  are  passed. 

Furthermore,  independent  companies  have  developed  tools 
that  support  the  NIST  standards,  Horaczko  says.  “Knowing  that 
the  basis  for  applications  are  stable,  software  development  com¬ 
panies  are  more  willing  to  develop  application  tools  to  support 
the  framework,”  she  says. 

Rice  says  Tata  Communications  uses  the  NIST  framework  in 
several  lines  of  business  and  in  its  IT  department  to  assess  and 
manage  risk.  The  model  helps  the  company  determine  when 
something  exceeds  a  certain  threshold  of  risk. 

“I  think  a  strength  is  that  the  authors  of  [the  RMF]  were  think¬ 
ing  along  the  right  lines  in  [identifying]  major  factors  that  deter 
risk,”  Rice  says.  “We  looked  at  many,  and  I  think  their  approach 
is  solid.  The  framework  allows  the  company  to  easily  determine 
which  systems  or  applications  present  the  highest  risk  if  security 
breaches  occur.” 

As  for  weaknesses,  “like  any  of  these  frameworks,  you  have 
to  make  sure  that  the  people  who  are  doing  the  risk  assessment 
have  the  discipline  to  put  reasonable  data  into  the  model  so  you 
get  reasonable  data  out,”  Rice  says. 

“Also,  it’s  a  document;  it’s  not  an  automated  tool,”  Rice  says. 
“I’d  like  to  have  a  tool  we  could  incorporate  that  allows  the  pro¬ 
cess  to  be  completely  automated.  That’s  something  we’ll  probably 
develop  over  time,  because  I’m  not  sure  there  are  any  off-the-shelf 
tools.” 

Another  weakness  of  RMF  is  its  nomenclature,  Horaczko  says. 
“The  use  of  acronyms  throughout  the  framework  and  supporting 
tools  is  pervasive,”  she  says. 

TARA 

TARA  is  a  new  risk- assessment  framework— it  was  created  by 
Intel  just  this  January— that  helps  companies  manage  risk  by 
distilling  the  immense  number  of  possible  information  security 
attacks  into  a  digest  of  only  those  exposures  that  are  most  likely 
to  occur.  The  thinking  is  that  it  would  be  prohibitively  expensive 
and  impractical  to  defend  every  possible  vulnerability. 

By  using  a  predictive  framework  to  prioritize  areas  of  concern, 
organizations  can  proactively  target  the  most  critical  exposures 
and  apply  resources  efficiently  to  achieve  maximum  results. 

The  TARA  methodology  identifies  which  threats  pose  the 
greatest  risk,  what  they  want  to  accomplish  and  the  likely  meth¬ 
ods  they  will  use.  The  methods  are  cross-referenced  with  existing 

“I  quite  like  what  Intel 
has  done  with  TARA 
and  believe  that  it  has 
promise/* 

-ANDREW  JAQUITH,  SENIOR  ANALYST, 

FORRESTER  RESEARCH 


vulnerabilities  and  controls  to  determine  which  areas  are  most 
exposed.  The  security  strategy  then  focuses  on  these  areas  to 
minimize  efforts  while  maximizing  effect. 

Intel  says  awareness  of  the  most  exposed  areas  allows  the  com¬ 
pany  to  make  better  decisions  about  how  to  manage  risks,  which 
helps  with  balancing  spending,  preventing  impacts  and  managing 
to  an  acceptable  level  of  residual  risk.  The  TARA  methodology  is 
designed  to  be  readily  adapted  when  a  company  faces  changes  in 
threats,  computing  environments,  behaviors  or  vulnerabilities. 

TARA  relies  on  three  main  references  to  reach  its  predictive 
conclusions.  One  is  Intel’s  threat  agent  library,  which  defines 
eight  common  threat  agent  attributes  and  identifies  22  threat 
agent  archetypes.  The  second  is  its  common  exposure  library, 
which  enumerates  known  information  security  vulnerabilities 
and  exposures  at  Intel.  Several  publicly  available  common  expo¬ 
sure  libraries  are  also  used  to  provide  additional  data.  The  third 
is  Intel’s  methods  and  objectives  library,  which  lists  known  objec¬ 
tives  of  threat  agents  and  the  methods  they  are  most  likely  to  use 
to  accomplish  these  goals. 

“I  quite  like  what  [Intel]  has  done  with  TARA  and  believe 
that  it  has  promise,”  says  Andrew  Jaquith,  a  senior  analyst  at 
Forrester  Research.  “It  is  well  suited  for  manufacturers,  critical 
infrastructure  providers  and  others  who  want  to  evaluate  risks 
from  named  actors  like  industrial  spies,  nation-states  and  rogue 
administrators.” 

Hayes  says  he’s  reviewed  information  about  TARA  that  Intel 
has  released.  “What  I  really  like  about  TARA  is  the  threat  agent 
view  of  risk,”  he  says.  “There  are  parts  of  TARA— the  threat  agent 
library  and  the  methods  and  objectives  library— that  can  be  easily 
used  within  other  risk- assessment  methodologies,  especially  if 
there  is  a  need  to  standardize  on  common  threat  agents  and  cor¬ 
responding  methods.” 

TARA  “appears  to  be  a  good  tool  for  identifying,  predicting 
and  prioritizing  threats  against  your  infrastructure,”  Woerner 
adds.  “You  can  use  it  to  create  common  libraries  that  can  be 
shared  among  different  groups.” 

The  framework  “focuses  on  threats  rather  than  assets,  [on] 
what  bad  things  can  happen,”  Woerner  says.  “This  is  both  good 
and  bad.  By  focusing  on  threats  rather  than  asset  value,  an  asses¬ 
sor  may  miss  the  mark  in  identifying  true  infrastructure  risks. 
It  also  seems  to  make  the  assumption  that  the  only  way  to  view 
risk  is  from  the  perspective  of ‘What’s  the  worst  thing  that  could 
happen?”’ 

When  he’s  conducting  a  risk  assessment,  Woerner  asks  two 
critical  questions:  What’s  the  most  likely  threat  against  a  specific 
critical  asset  and  what’s  the  biggest  impact  that  could  occur  with 
the  asset?  “TARA  only  addresses  the  likelihood  of  threat  events, 
but  doesn’t  take  into  account  the  risk’s  impact,”  he  says. 

Paul  says  another  drawback  of  the  framework  is  that  it’s  new 
and  untested.  “You  don’t  hear  a  lot  about  people  using”  TARA, 
he  says.  “TARA  also  appears  to  be  yet  another  qualitative 
methodology  rather  than  one  that  can  be  used  for  quantitative 
analysis.”  ■ 

Bob  Violino  is  a  freelance  writer.  Send feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 


May  2010  www.csoonline.com  27 


FRAUD  PREVENTION 


I 

I 

I 

I 


igglggpg 


TJ, 

f0W* 


^SLfc-mst 

*-«** 


t  j||| 

•  a#4fi  I  3£f  "** 

ijlin  f  . 

til?  ■  * 


-rjfc’ 


: .,  .i  >■‘'•4.. 


“Despite  the  continued  growth  of 
online  payment  systems,  check 
fraud  has  continued  to  grow  in  both 
number  of  cases  and  total  exposure 
amounts,”  says  Brad  McFarland, 
director  of  corporate  security  with 
the  south  Financial  Group. 


May  2010  www.csoonlme.com 


Financial  institutions 
once  considered 
fraud  an  annoying 
but  acceptable  risk. 
As  the  stakes  rise, 
banks  and  lenders 
must  connect  their 
defensive  efforts. 

By  Joan  Goodchild 


FOR  MOST  OF  his  almost  two  decades  in 
the  financial  services  industry,  Brad  McFar¬ 
land  has  been  heading  up  fraud  investigations. 
Currently  director  of  corporate  security  with 
the  South  Financial  Group,  a  South  Carolina- 
based  financial  services  holding  company, 
McFarland  is  responsible  for  the  organization’s 
physical  security  and  loss  prevention  in  addi¬ 
tion  to  fraud  investigation. 

Over  the  course  of  his  career,  McFarland 
has  seen  dramatic  changes  in  the  emphasis  and 
importance  placed  on  fraud.  In  the  past,  says 
McFarland,  “Many  institutions  did  not  employ 
fraud  investigators.  Fraud  was  a  cost  of  doing 
business.” 

But  times  have  changed.  Thanks  to  regu¬ 
latory  requirements  and  the  damage  to  finan¬ 
cial  firms’  reputations  that  data  leakage  and 
identity  theft  can  cause,  stopping  fraud  is 
now  a  high  priority.  And  that  means  the  way 
investigations  are  conducted  has  evolved,  too. 
McFarland  gave  CSO  a  breakdown  of  how 
fraud  investigators  and  corporate,  physical 
and  information  security  have  come  together 
in  a  mission  to  stay  one  step  ahead  of  the  bad 
guys. 


FRAUD  PREVENTION 


CSO:  As  director  of  corporate  security,  you 
lead  fraud  investigations  within  the  orga¬ 
nization.  How  do  you  draw  line  between 
fraud  and  corporate  security? 

Brad  McFarland:  Those  processes  are  linked. 
Each  security  discipline  must  hold  hands  in 
order  to  have  an  effective  security  program. 
The  security  program  impacts  fraud  pre¬ 
vention,  the  safety  of  your  employees,  the 
security  of  institutional  data  and  customer 
information.  A  program  needs  to  address 
the  security  of  your  facility  and  maintain 
your  reputation  or  keep  risk  to  it  in  check. 
As  part  of  a  global  security  program,  it  is 
important  to  institute  an  effective  training 
program  for  security  disciplines. 

I  don’t  see  any  real  barrier  between 
those  groups  anymore.  It’s  necessary  that 
we  maintain  a  strong,  unified  partnership 
to  combat  the  issues  we  are  seeing  now 
across  the  financial  services  industry. 

You  have  a  background  in  financial  fraud, 
but  many  other  CSOs  don't.  What  are  the 
absolute  basics  of  fraud  prevention  that 
those  security  leaders  should  know? 

Of  course  professional  certifications  are 
important  and  they  play  a  valuable  role 
in  expanding  one’s  knowledge  base.  Cer¬ 
tifications  also  have  a  special  value  in  the 
industry  and  they  can  represent  advan¬ 
tages  to  employees  that  obtain  a  relevant 
designation. 

However,  from  a  broad  perspective, 
there  are  a  few  basic  steps  that  all  security 
leaders  should  employ: 

First  and  foremost,  have  a  basic  under¬ 
standing  of  accounting  principles.  Assist 
in  the  implementation  and  utilization  of 
sound  accounting  practices— from  a  risk- 
management  perspective  you  should  trust 
but  verify  accounting  controls. 

Second,  make  sure  that  you  are  aware  of 
the  legal  regulations  that  govern  your  field. 

Third,  one  simple  guideline:  communi¬ 
cation.  Effective  communication  plays  a  big 
role  in  achieving  desired  results. 

And  fourth,  implementation  of  effective 
investigation  processes,  including  inter¬ 
viewing  witnesses,  documenting  opera¬ 
tions  and  using  analysis  tools. 

What  kind  of  frauds  do  you  typically  inves¬ 
tigate  in  the  financial  services  industry? 

Fraud  is  constantly  evolving  as  perpetrators 
co-opt  the  technological  advances  that  are 


“The  greatest  issue 
with  internal  fraud 
boils  down  to  risk— 
the  potential  for  loss 
is  huge  because  of 
the  time  lag.” 


meant  to  assist  us.  Fraudsters  are  creating 
more  diverse  and  complex  schemes.  That 
has  required  us  to  be  more  sophisticated  in 
our  approach  to  prevent  attacks. 

External  fraud  that  we  investigate  is 
often  check  fraud,  our  biggest  category 
and  exposure.  That’s  true  across  financial 
services. 

Is  check  fraud  declining  as  more  people  use 
direct  deposit  and  systems  like  PayPal? 

Despite  the  continued  growth  of  online  pay¬ 
ment  systems,  check  fraud  has  continued 
to  grow  in  both  number  of  cases  and  total 
exposure  amounts. 

Today,  fraud  risk  associated  with  the 
check  fraud  category  is  generally  derived 
from  organized  counterfeit-check  rings. 
The  majority  of  check  fraud  cases  originate 
from  foreign  lottery  scams,  check  overpay¬ 
ment  scams,  Internet  auction  scams  and 
work-from-home  scams.  Investigation  of 
these  incidents  is  a  challenge,  because  the 
individual  that  negotiates  the  fraudulent 
item  is  an  unwitting  participant  in  the  crim¬ 
inal  enterprise  and  the  mastermind  behind 
these  schemes  is  usually  located  outside  the 
United  States. 

Institutions  are  also  experiencing  a  sig¬ 
nificant  increase  in  cybercrime. 

Other  external  fraud  includes  wire 
fraud,  automated  clearing  house  fraud, 
anti-money  laundering  issues,  debit  card 


-BRAD  MCFARLAND,  DIRECTOR 
OF  CORPORATE  SECURITY, 

THE  SOUTH  FINANCIAL  GROUP 

fraud  as  a  result  of  skimming  devices, 
external  loan  fraud,  identity  theft,  fraudu¬ 
lent  accounts  created  under  fraudulent 
identities,  online  customer  credential  theft 
and  hijacked  accounts. 

Internal  fraud  is  on  the  rise  globally.  It 
is  an  ongoing  challenge  to  our  industry.  I 
foresee  an  ongoing  increase  as  fraudsters 
continue  to  take  advantage  of  the  relative 
anonymity  that’s  provided  by  new  tech¬ 
nologies  and  the  Internet. 

Criminals  are  energized  by  the  cur¬ 
rent  market  for  information.  At  one  time, 
internal  fraud  simply  meant  a  theft  of  cash. 
We  now  see  that  criminal  activity  from  an 
internal  perspective  includes  the  theft  of 
data.  That  is  where  a  huge  risk  lies,  par¬ 
ticularly  as  related  to  customer  data.  Data 


30  www.csoonline.com  May  2010 


Photography  by  Milton  Morris 


theft  poses  risks  to  a  company’s  reputa¬ 
tion,  finances  and  ability  to  comply  with 
regulations. 

What  other  internal  frauds  do  you 
investigate? 

Really,  any  internal  theft.  It  could  be  falsi¬ 
fication  of  an  application,  manipulation  of 
data,  theft  from  customer  accounts  or  cus¬ 
tomer  data  theft,  where  customer  informa¬ 
tion  is  converted  for  fraudulent  personal 
use  or  the  stolen  data  is  sold  to  organized 
criminal  groups. 

Why  do  you  think  global  fraud  is  on  the 
rise?  is  it  a  byproduct  of  the  economy  or 
do  you  think  it’s  that  technology  enables 
it  more  now? 

I  think  it’s  really  based  on  the  technology. 
Although  we  have  controls  in  place  to  assist 
in  addressing  vulnerabilities,  fraudsters 
co-opt  the  technology  and  utilize  it  to  cre¬ 
ate  more  diverse  schemes.  It  is  an  ongoing 
battle  as  we  attempt  to  stay  one  step  ahead 
of  the  bad  guys. 

What's  the  most  challenging  aspect  of 
fraud  investigation? 

To  me,  internal  fraud  is  the  most  challeng¬ 
ing  because  of  the  time  it  takes  for  an  inter¬ 
nal  fraud  to  be  detected.  The  typical  time 
between  the  initiation  of  the  fraudulent 
activity  and  its  detection  makes  it  difficult 
for  a  financial  institution  to  recover  funds. 
That  is  one  of  the  jobs  of  the  corporate 
investigations  department.  It’s  our  job  to 
stop  the  bleeding  and  recover  any  funds 
available. 

Historically,  most  fraud  was  reported 
via  a  tip— suspicions  aroused  within  a  busi¬ 
ness  unit,  discrepancies  noted  by  custom¬ 
ers,  and  so  on.  Today,  it  is  important  that 
companies  implement  data  analysis  in  an 
effort  to  take  a  proactive  approach  to  fraud 
detection. 

On  its  face,  data  analysis  is  a  fraud 
detection  tool.  When  a  fraudulent  scheme 
is  detected,  an  organization  can  take  the 
necessary  steps  to  prevent  additional  loss. 
Fraud  detection  begets  fraud  prevention. 

Strong  data  analyzed  in  tandem  with 
knowledge  of  potential  criminal  schemes 
can  effectively  allow  an  organization  to 
mitigate  its  potential  fraud  risk.  Data 
analysis  can  assist  an  organization  in  the 
identification  of  counterfeit  check  activity, 


compromised  accounts,  insider  issues  and 
detection  of  potential  regulatory-compli¬ 
ance  issues. 

Fraud  detection  and  prevention  sys¬ 
tems  that  are  used  to  identify  suspicious 
behavior  should  be  flexible  because  they 
must  account  for  the  fluid  nature  of  fraud 
schemes.  A  fraud  analyst  can  determine  if 
the  flagged  activity  is  an  actual  fraud  or  just 
an  anomaly.  If  the  activity  is  confirmed  as 
fraud,  the  issue  should  be  investigated. 

With  data  theft,  it’s  really  difficult  to 
detect  what  data  has  been  stolen  and  what 
parties  it’s  been  transferred  to.  It  is  a  long, 
arduous  process  that  often  requires  a  lot 
of  forensic  investigation  on  computers  and 
systems  that  the  individual  might  have 
accessed.  It  often  takes  a  lot  of  law  enforce¬ 
ment  cooperation  as  well. 

The  greatest  issue  with  internal  fraud 
boils  down  to  risk— the  potential  for  loss 
is  huge  because  of  the  time  lag,  and  risks 
to  reputation  and  liability  issues  can  con¬ 
tinue  to  arise  because  trickle-down  identity 
theft  can  occur  as  a  result  of  stolen  data. 
The  potential  impact  of  an  internal  fraud 
is  colossal. 

How  do  internal  fraud  and  external  fraud 
investigations  differ? 

At  ground  level,  investigation  is  investi¬ 
gation.  But  for  internal  investigation,  the 
biggest  difference  is  the  number  of  parties 
that  become  involved  in  the  investigation: 
You  typically  have  the  business  unit  where 
the  fraud  originated,  management  from 
the  impacted  areas  and  human  resources. 
Information  technology  or  information 
security  needs  to  be  involved  to  look  at  any 
available  data  and  analyze  what  kind  of 
electronic  fingerprints  have  been  left  by  the 
perpetrator(s). 

In  our  organization,  we  deploy  a  risk- 
management  team.  This  is  not  necessarily 
to  assist  in  the  investigation;  instead,  this 
group  is  a  byproduct  of  the  investigation, 
whose  function  is  to  look  at  controls  that 
need  to  be  implemented  in  an  effort  to  pre¬ 
vent  issues  from  recurring. 

It  is  increasingly  important  to  commu¬ 
nicate  with  peer  institutions  and  with  law 
enforcement.  Perpetrators  are  operating  in 
multiple  areas  and  are  involving  multiple 
institutions  and  players.  If  we  want  to  pros¬ 
ecute  fraudsters  effectively,  it’s  important 
to  have  dialogue  with  others  to  try  and  get 


the  full  picture. 

Information  sharing  is  a  tremendous 
benefit,  but  it  can  be  a  challenge  in  coordi¬ 
nating  those  parties.  That  is  why  I’m  such 
an  advocate  of  external  fraud  information¬ 
sharing  groups  and  partnering  with  law 
enforcement. 

You  work  closely  with  the  CISO  at  the 
South  Financial  Group.  Tell  us  about  that 
relationship. 

The  relationship  between  information  secu¬ 
rity  and  other  security  disciplines  is  highly 
visible  in  our  organization. 

Controls  addressing  physical  and  infor¬ 
mation  security  have  an  impact  on  fraud 
prevention.  A  physical  security  break  and 
a  data  security  break  can  lead  to  removal  of 
assets  or  data  that  can  be  used  in  a  fraudu¬ 
lent  scheme.  Incident  monitoring,  incident 
analysis  and  incident  response  are  direct 
links  between  corporate  security  and  fraud 
risk  mitigation. 

Services  like  video  surveillance,  access 
control,  multifactor  authentication,  logging 
practices,  firewalls,  log-on  requirements, 
strong  passwords  and  clean-desk  policies 
play  an  important  role  in  fraud  prevention 
and  investigation  efforts  either  through 
preventive  measures  or  recovery  of  data 
that  is  recorded. 

Because  of  the  partnership  with  infor¬ 
mation  security,  we  find  we  can  capitalize 
on  resources  that  were  typically  used  for 
data  security  management  in  the  fraud  pre¬ 
vention  arena.  In  our  organization,  we  have 
implemented  a  risk  team  that  is  comprised 
of  representatives  from  each  of  the  security 
disciplines,  the  risk  management  unit,  the 
corporate  legal  department  and  any  poten¬ 
tially  impacted  business  units.  This  team 
is  used  to  assess  risks  that  arise  from  an 
incident  or  that  are  associated  with  a  new 
initiative.  Via  process  analysis,  the  group 
recommends  controls  that  might  mitigate 
any  risks. 

It  is  important  for  companies  to  real¬ 
ize  the  importance  of  seating  security 
management  at  the  table  when  discussing 
product  development  or  operating  policy 
implementation.  Effective  utilization  of 
an  organization’s  security  team  allows  for 
a  better  understanding  of  risk  across  the 
enterprise.  As  a  result,  the  company  can 
realize  enhanced  ROI  on  risk  and  compli¬ 
ance  initiatives.  ■ 


May  2010  www.csoonline.com  31 


[  INDUSTRY  VIEW] 

Craig  Priess,  Guardian  Analytics 


Fraudsters  Bank  on  Business  Accounts 

Business  banking  is  a  popular  target  for  hacks  and  attacks. 

Craig  Priess  of  Guardian  Analytics  offers  practical  defensive  steps. 


After  a  meteroic  rise  in  pop¬ 
ularity  over  the  last  decade, 
online  banking  is  now  per¬ 
vasive.  The  power  of  conve¬ 
nience  has  largely  trumped 
customers’  fears  about  security,  but  there 
are  signs  that  the  tide  may  be  turning.  Per¬ 
haps  exacerbated  by  the  global  recession 
and  shocks  to  the  financial  markets,  cyber¬ 
criminals  have  been  targeting  business 
bank  accounts  with  increasing  frequency 
over  the  last  year,  catapulting  the  conver¬ 
sation  about  online  banking  security  into 
the  corporate  realm.  This  trend  is  getting 
the  attention  of  authorities  such  as  the  FBI, 
FDIC  and  Department  of  Homeland  Secu¬ 
rity,  and  has  been  described  by  many  as  a 
leading  cybercriminal  trend  of  2010. 

Businesses  are  increasingly  liable  for 
these  incidents  because  Regulation  E  of 
the  Federal  Electronic  Funds  Transfer  Act 
doesn’t  protect  business  accounts  the  way 
it  does  those  of  individuals.  It’s  therefore 
particularly  important  for  companies  to 
re-examine  their  online  business-banking 
practices  to  take  a  proactive  approach  to 
protecting  themselves  from  such  attacks 
and  their  associated  losses.  Banks,  too,  must 
amplify  their  security  practices  to  combat 
the  tactics  cybercriminals  are  now  using  to 
perpetrate  this  type  of  fraud. 

In  just  the  month  of  August  2009,  the 
FDIC,  the  Electronic  Payments  Associa¬ 
tion,  the  Financial  Services  ISAC  and  the 
IT  advisory  firm  Gartner  all  published 
alerts  about  rising  threats  to  online  busi¬ 
ness-banking.  The  following  month,  the 
Senate  Committee  on  Homeland  Security 
and  Governmental  Affairs  held  a  special 
hearing  to  discuss  cybercriminals  target¬ 
ing  small  and  midsize  businesses.  New 
protective  cybersecurity  legislation  has 


been  introduced,  co-sponsored  by  Sens. 
Joe  Lieberman  (I-Conn.)  and  Susan  Collins 
(R-Maine).  Frequent  reports  of  victimized 
businesses  continue  into  2010,  with  several 
companies  even  suing  their  banks. 

The  losses  are  substantial.  The  Washing¬ 
ton  Post  reported  that  recent  victims  include 
a  school  district  near  Pittsburgh,  which  lost 
$700,000,  and  an  electronics  testing  firm  in 


Baton  Rouge,  which  lost  $100,000.  One  of 
Guardian  Analytics’  customers  recently 
intercepted  an  attempted  automated  clear¬ 
ing  house  (ACH)  transfer  of  $800,000  that 
was  part  of  a  scheme  involving  more  than 
80  smaller  transactions  arranged  to  be  sent 
to  unwitting  mules.  For  many  small  and 
midsize  businesses,  these  losses  are  cata¬ 
strophic  and  can  mark  the  beginning  of  the 
end  if  banks  refuse  to  reimburse  them. 

Cyberfraud  Schemes 
Becoming  Highly  Sophisticated 

Cybercriminal  activity  is  constantly  evolv¬ 
ing  to  capitalize  on  new  profit  streams.  In 
the  case  of  business  banking,  online  fraud¬ 
sters  can  avoid  triggering  traditional  fraud 


alerts  by  stealing  amounts  under  $10,000 
from  business  accounts.  The  malware  used 
to  gain  access  to  accounts  is  often  so  well 
written  that  it  hijacks  a  legitimate  session, 
so  the  connection  comes  from  an  autho¬ 
rized  and  authenticated  computer,  circum¬ 
venting  even  token-based  authentication. 
The  money  is  then  transferred  to  “money 
mules,”  often  recruited  over  Internet  job 
boards,  who  unwittingly 
help  cybercriminals. 

The  use  of  electronic 
funds  transfers— including 
the  increasing  volume 
of  ACH  transactions  for 
corporate  payments— is 
making  this  channel  a 
particularly  attractive  tar¬ 
get  for  fraud.  Historically 
low-risk,  the  ACH  network 
has  recently  expanded  to 
include  more  participants 
and  new  types  of  nonre¬ 
curring  payments,  such 
as  web-initiated  ACH  files. 
Over  the  past  year,  the  FDIC  has  noted  an 
increase  in  the  number  of  reports  and  the 
amount  of  losses  resulting  from  unauthor¬ 
ized  transfers  from  business  customers 
whose  online  banking  software  credentials 
were  compromised.  A  J.P.  Morgan  study 
found  that  71  percent  of  financial  institu¬ 
tions  experienced  attempted  or  actual  pay¬ 
ments  fraud  in  2008.  That  number  jumps 
to  80  percent  among  firms  with  revenues  of 
more  than  $1  billion. 

Corporate  account  takeovers  employ¬ 
ing  ACH  fraud  are  becoming  more  preva¬ 
lent.  Criminals  are  targeting  corporate 
cash-management  accounts  and  mov¬ 
ing  money  out  via  seemingly  innocent 
consumer  accounts.  The  crook  starts  by 


32  www.csoonline.com  May  2010 


Photo  by  Getty  Images 


N  E  WS  LE 


T 


E  R 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


J£cu 


RlTy 


wf( 


w 


Subscribe  today! 


/  Sectitiiy  c  ^  Of  y, ,  erih 

/  rouble ■  butale n 

/  AAA  AA 


pk 

ACyAT>* 

T  W°HK 


s , 


'ATHo, 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


/  ArAS*  AAA 


Z0you^ 

ass? 


i§5?c: 


lth^U.s 


/  ,3  r°°'ti  o»  .T'"0*/?  a  A 


nl*X>t 


J<*h. 


■  "‘‘Tin  r°Otn  n.  Q10\Vn  cllnn  .  ‘"Sot. 

,sAi<s?  gAA***. 

^ e0thn ....  n.-  youXL. 


2 •*» 


-'<  BAA7 


££S^5?"w*,‘ 


'  V'S3f( 


'**4 

^S. 


"'v... . .*.:>■ 


th^follr,  Veblcle,i  9ldry 

’***£%?“ so*?'3'® 


at  i.  ^'‘0eotsr  ^>v  offi,  ~"*‘1 


ld^ays 

leOlry 


A 

A 

n-  **«.  0/y 


3  ^'^-  Cd 

^^your  r<L%y*°»n, 


"■oh 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2007  CXO  Media  Inc. 


>>  INDUSTRY  VIEW 


stealing  the  user  IDs  and  passwords  of 
cash-management  account  owners  and 
signing  up  random  consumers  through 
phishing  attacks.  The  phishing  e-mails  ask 
people  to  allow  money  to  be  transferred 
into  their  accounts  and  then  passed  on  to 
the  criminal’s  offshore  account  in  exchange 
for  a  five  percent  commission.  The  phishers 
use  clever  social-engineering  techniques  to 
get  consumers  to  sign  up.  After  the  ground¬ 
work  has  been  laid,  the  crook  simply  goes 
into  the  corporate  account  and  transfers 
funds,  using  ACH  fund-transfer  facilities, 
from  it  to  the  phished  consumer  accounts. 
The  victimized  commercial  banks  generally 
fail  to  recover  the  stolen  funds. 

Taking  Action:  Preventing 
Business-Banking  Fraud 

Given  the  recent  rise  in  these  targeted 
attacks  against  businesses,  security  officers 
should  educate  themselves  about  the  threat 
and  be  on  guard,  taking  steps  to  prevent 
losses,  which  could  be  significant.  Here  are 
some  practical  tips  to  protect  your  company 
from  online  business-banking  fraud: 

Choose  a  bank  with  proactive  fraud- 
prevention  technologies.  Ask  your  bank 
if  they  have  a  fraud-monitoring  system  in 
place  to  detect  suspicious  online  account 
activity,  what  their  response  to  alerts  is 
and  how  quickly  they  take  action.  Despite 
increased  regulation,  many  financial  insti¬ 
tutions  still  have  not  implemented  the  latest 
technologies,  which  are  necessary  to  fight 
today’s  sophisticated  threats.  Your  bank’s 
online  account  platform  is  only  as  secure 
as  the  technology  behind  it. 

Educate  your  financial  managers  on  the 
risks  and  threats.  Forward  the  latest  advi¬ 
sories  from  your  bank  or  regulators,  such 
as  the  FDIC,  to  whoever  manages  your 
online  business  accounts,  perhaps  even 
to  the  entire  finance  department,  as  well 
as  to  heavy  online  banking  users  such  as 
the  CEO.  Distribute  the  latest  cyberattack 
reports  to  the  entire  IT  group  so  more 
stakeholders  can  become  educated  about 
cybercrime  and  its  methods. 

Isolate  your  Internet  banking  activities. 
Dedicate  specific  machines  or  facilities 
to  hosting  your  Internet  banking  activi¬ 
ties  and  harden  their  defenses  to  external 
attack.  Don’t  transact  financial  business  on 
machines  hosting  other  systems  or  applica¬ 
tions,  such  as  Web  browsing,  because  this 


continual  exposure  to  the  public  Internet 
creates  a  weak  link  in  your  security  effort. 

Understand  your  bank’s  fraud-loss 
policy.  If  your  business  becomes  the  victim 
of  online  banking  fraud,  you  have  fewer 
rights  than  you  would  as  an  individual  con¬ 
sumer.  Ask  your  bank  what  their  policies 
are  on  protecting  business  accounts,  inves¬ 
tigating  possible  fraud,  assigning  fault  in 
a  claim  and  making  your  accounts  whole. 
Better  to  understand  your  risk  exposure 
and  have  a  plan  of  attack  before  entering 
any  dispute  with  your  bank. 

Monitor  for  irregularities  and  missing 
funds.  It  is  imperative  for  any  business  to 
always  be  on  the  lookout  for  abnormalities. 
Many  banks  offer  transaction  alerts  so  cus¬ 
tomers  can  be  automatically  and  instantly 
notified  of  important  account  activity.  One 
is  called  a  debit  block,  which  is  used  to  stop 
any  transactions  from  going  through  unless 
they’ve  been  preauthorized.  Ask  your  bank 
about  such  services  and  sign  up  for  them. 

Re-examine  your  anti-malware  soft¬ 
ware  and  firewalls.  Keeping  your  network’s 
anti-malware  and  firewalls  updated,  partic¬ 
ularly  in  the  finance  department,  is  Job  No.  l 
for  security  pros.  Falling  behind  on  updates 
and  patches  could  jeopardize  your  busi¬ 
ness’s  entire  financial  health.  In  the  event 
of  a  breach,  your  bank  will  automatically 
assume  that  your  machines  have  been  com¬ 
promised.  Be  ready  to  prove  them  wrong. 

What  Banks  Can  Do 

Banks  should  be  taking  the  recent  attacks 
seriously.  If  you  work  at  a  financial  institu¬ 
tion,  here  are  some  recommendations  for 
what  you  should  be  doing  to  protect  both 
yourself  and  your  customers: 

Assume  that  customer  machines  have 
been  compromised  and  react  accordingly. 
Forward-looking  banks  already  do  this 
by  implementing  sophisticated  back-end 
fraud  prevention  solutions  that  go  beyond 
multifactor  authentication  and  look  for 
anomalies  in  a  customer’s  behavior  to  reveal 
account  compromises.  Fraud  attempts  will 
happen,  so  you  have  to  think  ahead. 

Strengthen  your  online  fraud  defenses. 
Would  your  current  fraud  system  recognize 
an  online  fraud  like  the  ones  detailed  above? 
If  not,  it’s  time  to  strengthen  your  security 
defenses.  Security  should  be  commensu¬ 
rate  to  the  risks,  which  is  the  essence  of  the 
Federal  Financial  Institutions  Examination 


Council’s  authentication  guidance  of  2005. 

Review  customer  policies.  Revisit  terms 
of  use  for  ACH  transactions  to  ensure  bank 
and  customer  obligations  are  clear  and  con¬ 
sistent  with  security  policies  as  well  as  legal 
and  regulatory  requirements. 

Educate  management  and  employees  on 
threats.  Distribute  the  latest  fraud  attack 
reports  beyond  the  fraud  team  so  more 
stakeholders  can  become  educated  about 
questionable  transactions  and  understand 
the  risks  to  the  institution  should  a  busi¬ 
ness  customer  fall  victim. 

Be  proactive.  Don’t  let  your  institution 
get  tangled  in  unexpected  lawsuits.  Meet 
with  legal  counsel  to  discuss  procedures 
following  a  business-banking  fraud  dis¬ 
covery.  Know  your  rights  in  case  a  customer 
ever  decides  to  sue.  Avoid  losing  lucrative 
customers  by  assuring  them  that  you  have 
the  most  effective  fraud- prevention  solu¬ 
tions  in  place. 

Despite  increased 
regulation,  many 
financial  institutions 
still  have  not 
implemented  the 
latest  technologies 
beyond  user 
authentication. 

Educate  customers  on  the  threat.  Ini¬ 
tiate  programs  to  educate  financial  man¬ 
agers  within  small-business  customer 
organizations— forwarding  the  latest  fraud 
advisories  and  stressing  distribution  to 
heavy  online  users  such  as  the  CEO,  CFO 
and  accounting.  Aim  to  increase  general 
customer  awareness  of  optional  security 
features  of  your  online  banking  platform, 
such  as  dual  control  of  transfers,  and  advo¬ 
cate  use  of  the  latest  anti-malware  software 
and  security  firewalls.  ■ 


Craig  Priess  is  founder  and  vice  president  of 
products  and  business  development  at  Guard¬ 
ian  Analytics,  and  has  more  than  IS  years 
of  experience  in  enterprise  software  technol¬ 
ogy.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 


34  www.csoonline.com  May  2010 


CSO  Forum  on  Linked  0 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  linkedin.com  click  Groups  and  search  for  “CSO  Forum” 

Facilitated  by  CSOOnline.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


[  DEBRIEFING  J 

Spring  Cleaning 

Security  pros  are  sweeping  out  their  supply  closets.  You  know  what  that 
means— a  chance  to  upgrade  your  equipment  with  bargains  from  eBay! 


Item  Bids  Price  Time  Left 

EH 

Security  badge/backstage  pass  7bids  $27.00  2d8h23m 

from  Megadeth’s  “Peace  Sells, 

But  Who's  Buying?"  tour 

BS^l 
■  ^ 

State-of-the-art  intrusion  47  bids  $8.50  36m 

detection  system  (Amiga-based) 

Case  of  blank  CCTV  tapes  (betamax)  obids  $25.00  45m 

L0phtCrack2  Obids  $5.00  48m 

hBf' 

k 

-- 

Full  set  of  Star  Wars  Power  of  the  15,239  bids  $4,397  2d8hom 

Force  figurines,  mint  condition 

Book  package:  Reengineering  the  2bids  $13.25  58m 

Corporation ;  The  7  Habits  of  Highly 

Effective  People ;  Who  Moved  My 

Cheese?;  Getting  to  Yes;  Good  to  Great; 
and  Fad  Surfing  in  the  Boardroom 

MREs  (24  count,  date  of  obids  $1.00  ih26m 

issue  uncertain;  buy  now 

1  for  bonus  box  of  RCWs) 

1 

W'  -  . 

Cap’n  Crunch  whistle,  lbid  $M42  I2y4di3h 

some  teeth  marks 

36  www.csoonline.com  May  2010 


Two-Factor  Authentication 


1  User  enters  username  and  password. 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 

•  Easy  to  Setup,  Manage,  and  Use 

•  Strong  Out-of-Band  Authentication 

•  Rapid  Regulatory  Compliance 

•  Far  Less  Expensive  Than  Tokens 


2  Instantly,  user  receives  a  call,  simply  answers 
and  presses  #  (or  a  PIN )  to  complete  the  login. 


►PhoneFactor 


www.phonefactor.CDm  |  1.877.NoToken 


CHANGES  HAPPEN. 
BREACHES  HAPPEN 
AUDITS  HAPPEN. 


H 


TAKE  CONTROL  WITH  THE  ALL-IN-ONE  SOLUTION 

FOR  SECURITY™ 


Introducing  the  Tripwire"  VIA  Suite 


Tripwire  VIA  is  the  automated  compliance  solution  that 
provides  IT  leaders  with  the  power  to  take  control.  It's  the 
only  solution  that  integrates  both  change  and  event  data  to 
help  reduce  the  breach-to-detection  time  gap.  Unlike  siloed 
tools,  this  powerful  combination  helps  your  organization 
prove  continuous  compliance,  protect  sensitive  data  and 
prevent  outages.  Tripwire  VIA  changes  everything. 

VISIBILITY  into  events  across  your  entire  infrastructure 
INTELLIGENCE  transforms  data  noise  into  actionable  information 
AUTOMATION  frees  your  staff  for  strategic  projects 


tripwire 

ENTERPRISE 

Tripwire  Enterprise  helps  IT  tackle  security,  change, 
and  configuration  control  challenges  head-on. 

tripwire 

EOG  CENTER 

Tripwire  Log  Center  is  an  all-in-one  log  and  event 
management  solution. 


©2010  Tripwire,  Inc.  Tripwire  is  a  registered  trademark  and  VIA  a  trademark  of  Tripwire,  Inc.  Alt  rights  reserved. 


Find  Out  More  at:  VIACHANGESEVERYTHING.COM 


